Kubernetes v1.36 is scheduled for release on April 22, 2026. While the final feature set remains subject to change, the current development cycle includes several significant enhancements that cluster operators should evaluate for their platform roadmaps. This preview covers the features most likely to impact production deployments.
DRA Support for Partitionable Devices
The most substantial infrastructure advancement in v1.36 is Dynamic Resource Allocation (DRA) support for partitionable devices. This enhancement allows a single hardware accelerator—such as a GPU—to be divided into multiple logical units shared across workloads.
For organizations running GPU-intensive workloads, this addresses a fundamental efficiency problem: many workloads don’t require an entire GPU, yet traditional Kubernetes device plugins allocate exclusively by physical device. Partitionable devices via DRA enable sub-allocations with maintained isolation, allowing platform teams to achieve higher utilization from expensive hardware.
DRA device taints and tolerations also graduate to beta in v1.36. DRA drivers can now mark devices as tainted, preventing their use for scheduling except by workloads with matching tolerations. This enables use cases such as reserving specific GPU models for inference serving while keeping others available for training jobs.
Faster SELinux Volume Mounting (GA)
The SELinux volume mounting optimization introduced in v1.28 as beta reaches General Availability in v1.36. Rather than recursively relabeling files after mount, the kernel now applies the correct SELinux context during mount via the context= mount option.
For clusters running with SELinux enforcing mode—particularly in regulated environments—this change eliminates a significant source of pod startup latency. The improvement is especially pronounced for pods mounting large volumes or running on nodes with many existing files that would otherwise require relabeling.
Note: This feature defaults to enabled for all volumes in v1.36. Pod authors should ensure correct seLinuxChangePolicy settings to avoid potential privilege conflicts when privileged and unprivileged pods share volumes.
External Signing of ServiceAccount Tokens
ServiceAccount tokens can now be signed by external systems rather than the Kubernetes control plane’s internal keys. This allows integration with cloud key management services, hardware security modules (HSMs), and centralized signing infrastructure.
The kube-apiserver delegates token signing to external services via a beta feature expected to graduate to GA in v1.36. For organizations requiring centralized key management or specific compliance certifications, this removes a significant operational barrier to Kubernetes adoption.
Deprecations and Removals
v1.36 introduces two significant deprecations that require migration planning:
service.spec.externalIPs: Deprecated due to security concerns (CVE-2020-8554). This field has enabled man-in-the-middle attacks on cluster traffic. Deprecation warnings appear in v1.36; removal is planned for v1.43. Migration paths include LoadBalancer services, NodePort, or Gateway API.- gitRepo volume driver: Removed permanently in v1.36 after being deprecated since v1.11. This volume type posed a critical security risk where attackers could execute code as root on nodes. Workloads must migrate to init containers or external git-sync tools.
Ingress-NGINX Retirement Context
The v1.36 release coincides with the March 2026 retirement of the Ingress-NGINX project. While not a code change in Kubernetes itself, this timeline convergence means many clusters upgrading to v1.36 will also be migrating off Ingress-NGINX to Gateway API implementations. Operators should coordinate these activities to minimize transition risk.
Sources
- Kubernetes v1.36 Sneak Peek — Kubernetes Blog