Guest: Drew Hagen
Project: Kubernetes
Show: KubeStruck
Topic: Kubernetes

Kubernetes 1.35 marks a turning point for production workloads. With in-place pod resource updates graduating to general availability, native workload identity, and AI-optimized scheduling, this release addresses the core challenges enterprises face when running mission-critical applications at scale. Drew Hagen, Kubernetes 1.35 Release Lead, explains how these features eliminate downtime, simplify architecture, and prepare the platform for the next generation of AI and edge workloads.

Eliminating Downtime with In-Place Pod Updates

The standout feature in Kubernetes 1.35 is in-place pod resource updates reaching general availability. Previously, adjusting CPU or memory limits required restarting pods, causing downtime that many production workloads simply cannot afford. Now, teams can vertically scale pods dynamically without interruption.

“We’re moving into a future that demands more from our workloads,” Hagen explains. “Being able to vertically scale pods in place without having to restart an application is really powerful because we can’t accept downtime on some of these workloads.”

This capability is particularly critical for AI training jobs that run continuously for extended periods. Teams can now adjust resources based on real-time needs without losing progress or interrupting computation.

Smarter Scheduling for AI and Distributed Workloads

Kubernetes 1.35 introduces workload objects that group pods for all-or-nothing scheduling. This matters for distributed AI training jobs where multiple pods must connect to the same stateful dataset. Either all components start together, or none do, preventing partial deployments that waste resources.

The scheduler also gains numerical comparisons in taints and tolerations, creating a scoring system for node selection. Teams can assign different ratings to spot instances versus on-demand instances, optimizing cost and reliability based on workload requirements.

Node feature declaration, now in alpha, allows nodes to advertise their capabilities before scheduling. This prevents pods from landing on incompatible nodes and ensures expensive GPU resources are reserved for workloads that actually need them. “You wouldn’t want to run a bunch of pods on a node that has an expensive GPU and pay for all that uptime,” Hagen notes. “Deploying applications that are best suited to a GPU gets its best value there.”

Native Workload Identity Simplifies Security

Previously, securing service-to-service communication in Kubernetes required third-party tools like SPIFFE/SPIRE or cert-manager. Kubernetes 1.35 introduces native workload identity and automated certificate rotation, drastically simplifying cluster architecture.

“Now that we have the capability to have stronger identification and certification natively on the pods, that’s going to simplify the architecture that operators have to design into their clusters,” Hagen explains.

The release also strengthens security boundaries with user namespaces, allowing pods to run with specific user IDs without elevating permissions to root on the host. Better node impersonation protections prevent rogue machines from joining clusters and extracting sensitive information. Pods must now authenticate to pull container images from node caches, preventing unauthorized access to sensitive images.

Observability and Quality of Life Improvements

Two new alpha endpoints improve native observability. The statuses endpoint provides rich JSON objects on pod health across all core Kubernetes components. The flags endpoint exposes command-line flags used at pod startup, eliminating the need to attach to pods and dig through logs.

Kubernetes 1.35 also introduces K YAML, a new format that remains valid YAML while incorporating JSON-like features. Square brackets denote lists, curly braces indicate objects, and double-quoted keys reduce parsing ambiguity. This makes Kubernetes manifests easier for both humans and machines to read.

Technical Debt and Deprecations

The community is phasing out support for cgroups v1. Operators should upgrade to operating systems supporting cgroups v2. IPVS in kube-proxy is being deprecated in favor of nftables, which offers more modern capabilities. Support for containerd 1.x ends in the next release, making this the last call to upgrade to containerd 2.x.

The Ingress NGINX controller retirement, while not part of the 1.35 release itself, highlights sustainability challenges in open source. “If we don’t have enough maintainers to support a particular component, it won’t be viable for us to safely continue maintaining it,” Hagen says. Teams should evaluate the Gateway API as an alternative.

The Timbernetease Theme: A Maturing Ecosystem

The release theme, “Timbernetease,” uses the world tree from Norse mythology as a metaphor for Kubernetes as a living global system. It represents the platform reinforcing its core around security and stability while expanding branches to support demanding new workloads.

The logo features squirrels with RPG roles representing release activities: the rogue triager navigating issues, the tech wizard reviewing pull requests, and the branch manager warrior cutting new versions. “We wanted to create something that was fun but also symbolic of a project that is maturing thoughtfully while continuing to grow,” Hagen says.

Production Impact

Kubernetes 1.35 delivers features enterprises have been waiting for. In-place updates enable true vertical scaling without downtime. Native workload identity simplifies security architecture. AI-optimized scheduling and node feature declaration ensure workloads land on appropriate infrastructure. These aren’t experimental features—they’re production-ready capabilities that change how teams operate Kubernetes at scale.

For organizations running AI workloads, edge deployments, or mission-critical applications, Kubernetes 1.35 represents a significant maturation of the platform. Teams should review the official release notes and begin planning upgrade paths to take advantage of these capabilities.