Kubernetes 1.35: Security-First Release
Released December 2025
This release feels like the Kubernetes maintainers finally grabbed the security checklist and knocked out years of improvements at once. 17 security-related changes, hardened defaults, and legacy cleanup.
Why Kubernetes 1.35 Matters
Kubernetes 1.35 is subtly massive for anyone who cares about hardening their clusters—and a little nerve-wracking for anyone depending on older behavior. It closes old doors, replaces aging assumptions, and puts more power in the hands of administrators who want tighter control.
Changes That May Break Things
cgroup v1 Support Removed
Starting with Kubernetes 1.35, support for cgroups v1 is disabled by default. Check if your Linux server uses cgroups v2 before upgrading.
Secret-Pulled Images Enforced
New imagePullCredentialsVerificationPolicy field enforces authorization checks for image pulls, even for cached images.
SPDY to WebSockets Transition
Kubernetes CLI moves from SPDY to WebSockets. API server now requires 'create' verb for connection upgrades.
Hardened Kubelet Certificate Validation
API server now validates that kubelet certificate CN matches system:node:<nodename> to prevent impersonation attacks.
New Security Features
Constrained Impersonation
Users can no longer perform actions while impersonating that they couldn't perform on their own.
Flagz for Kubernetes Components
New endpoint exposes runtime flags for components, helping detect configuration drifts and security policy deviations.
HostNetwork Pods with User Namespaces
Pods can now access host network while maintaining user namespace isolation, reducing root compromise risk.
CSI Driver Opt-In for SA Tokens
Service account tokens now delivered via new Secrets field instead of VolumeContext. Least privilege by default.
Now Enabled by Default
These enhancements have graduated and are now enabled by default in Kubernetes 1.35
Pod Certificates
Simplified certificate provisioning for Pods via PodCertificateRequest API.
User Namespaces for Pods
Enhanced isolation separating container root from host root.
OCI Artifacts as VolumeSource
Mount OCI images directly as volumes for configuration and assets.
Separated kubectl User Preferences
Clean separation of cluster configs from user preferences via kuberc file.
Gogo Protobuf Removal
Deprecated serialization library removed, improving security posture.
Structured Authentication Config
File-based authentication configuration with CEL expressions support.
Fine-grained SupplementalGroups
Strict mode ignores malicious /etc/group configurations in container images.
Drop-in Kubelet Config Directory
Linux-style configuration directory for predictable kubelet management.
How to Plan Your Kubernetes 1.35 Upgrade
Before upgrading, review the official upgrade guide and consider:
stat -fc %T /sys/fs/cgroup/ to confirmPractical Implementation Guides
Install Kubernetes on Ubuntu Server
A complete walkthrough on how to install a Kubernetes cluster on Ubuntu server, covering prerequisites, CNI setup, and worker node joining.
Kubernetes vs Docker Swarm
Which is better for small teams? We compare complexity, resource overhead, and features to help you decide between K8s and Swarm.
Run Kubernetes on Proxmox VE
The ultimate home lab setup: Learn how to deploy Kubernetes nodes as VMs on Proxmox VE for a flexible, snapshot-ready testing environment.
Kubernetes Backup & Disaster Recovery
Protect your Kubernetes workloads with industry-standard backup solutions. Learn how to implement disaster recovery, migrate clusters, and ensure data resilience.
Knative Officially Graduates in CNCF
Knative, the Kubernetes-native serverless platform, has officially graduated in the CNCF. This milestone confirms its production-readiness.
Learn About KnativeDocker vs Kubernetes
Understand the differences between Docker and Kubernetes, and why orchestration is essential.
Read GuideDeep Dive: Why Kubernetes 1.35 Feels Like a Security-First Release
Read our full analysis of what these changes mean for your clusters
Frequently Asked Questions
What exactly does Kubernetes do?
Kubernetes automates the deployment, scaling, and management of containerized applications, handling tasks like load balancing, self-healing, storage orchestration, and service discovery across clusters of nodes.
Is Kubernetes Docker?
No, Kubernetes is not Docker; Docker is a container runtime for building and running individual containers, while Kubernetes is an orchestration platform that manages multiple containers (from Docker or other runtimes) across distributed systems.
Why are companies quitting Kubernetes?
Some companies leave Kubernetes due to high operational complexity, resource inefficiencies, scaling delays for stateful workloads like Kafka, excessive costs from over-provisioning, and better alternatives for specific needs like dev environments or serverless batch processing.
Can Kubernetes run on Proxmox?
Yes, Kubernetes can run on Proxmox effectively by deploying its nodes as VMs (recommended for isolation) or LXC containers, using templates for quick scaling, though bare-metal direct installation is possible but fragile for production.
What are Kubernetes best alternatives?
Popular alternatives include Docker Swarm for simpler orchestration, managed services like Google Cloud Run or AWS ECS for serverless ease, Nomad for flexibility, or custom control planes for specialized dev workflows avoiding Kubernetes overhead.
Recommended Book
Stop Guessing Kubernetes: Clear Answers to the Most Confusing Questions Part I
A practical, no-nonsense guide to understanding Kubernetes the way it actually works. This book cuts through the noise and explains Kubernetes from first principles, using real-world questions engineers ask every day.
Get the Book on Amazon