Kubernetes 1.36 (Haru) brings around 70 enhancements, ranging from security improvements to new scheduling capabilities. While most release summaries try to cover everything, I wanted to focus on the features that stood out to me as someone working with Kubernetes platforms on a daily basis.
These are the features I believe Platform Engineers, SREs, and Kubernetes administrators should pay attention to.
1. Mutating Admission Policies are Finally GA
One of the most practical improvements in Kubernetes 1.36 is the graduation of Mutating Admission Policies to General Availability.
Traditionally, if you wanted to automatically add labels, inject sidecars, or enforce organization-wide defaults, you needed an admission webhook.
That meant:
- Running another service
- Managing TLS certificates
- Monitoring webhook availability
- Debugging API server timeouts
With Mutating Admission Policies, many of these use cases can now be handled directly inside the Kubernetes API server using CEL expressions.
**Why it matters
A failed webhook can block workload creation across an entire cluster. Eliminating that dependency reduces operational complexity and removes a common failure point.
2. User Namespaces are GA
User Namespaces have been in development for years and are finally considered production ready in Kubernetes 1.36.
Without User Namespaces, a process running as root inside a container is also root from the perspective of the host operating system.
With User Namespaces enabled, root inside the container is mapped to an unprivileged user on the node. Even if a container escape vulnerability is exploited, the attacker gains significantly fewer privileges.
Example
spec:
hostUsers: false
**Why it matters
This is one of the biggest container isolation improvements Kubernetes has delivered in recent years.
3. Fine-Grained Kubelet Authorization
Many monitoring and troubleshooting tools previously required broad access through the nodes/proxy permission.
Kubernetes 1.36 introduces fine-grained kubelet authorization, allowing access to specific endpoints without granting excessive permissions.
Why it matters
This makes RBAC cleaner and follows the principle of least privilege.
4. Node Log Query
If you've ever SSHed into a worker node just to inspect kubelet logs, you'll appreciate this feature.
Kubernetes now supports retrieving node logs through the Kubernetes API.
Example
kubectl get --raw "/api/v1/nodes/node-1/logs?query=kubelet"
Why it matters
Less SSH access. Faster troubleshooting. Easier automation.
5. OCI Volume Support is Stable
This is one of my favorite additions.
Kubernetes can now mount content directly from OCI registries as a volume source.
Instead of packaging everything into container images or maintaining separate storage systems, teams can distribute:
- ML models
- Static assets
- Configuration bundles
- Reference datasets
using the same OCI registries they already use for containers.
Why it matters
It simplifies distribution and keeps everything versioned in one place.
6. PSI Metrics are Stable
Pressure Stall Information (PSI) metrics provide visibility into resource contention for CPU, memory, and I/O.
Traditional metrics might show a node at 60% CPU utilization.
PSI tells you whether workloads are actually waiting for resources.
Why it matters
This helps identify noisy neighbors and improves resource tuning decisions.
7. Resource Health Status
Kubernetes now provides better visibility into hardware and device health through Resource Health Status.
This is especially useful when running:
- GPUs
- AI workloads
Why it matters
Troubleshooting hardware-related issues becomes much easier.
8. Mutable Suspended Jobs
Previously, if you wanted to change resource requests for a suspended Job, you often had to recreate it.
Kubernetes 1.36 allows resource requests and limits to be updated while the Job remains suspended.
Why it matters
This gives platform teams more flexibility when managing batch workloads and scheduled processing jobs.
Let's Connect
Thank you for reading.
If you're building cloud-native platforms, working with AWS, Kubernetes, OpenShift, Terraform, or Platform Engineering, I'd love to hear about your experiences and learn from your journey.
You can find more of my work at:
🌐 https://azizzoaib.com
For questions, feedback, collaboration opportunities, or simply to connect, feel free to reach out at:
📧 me@azizzoaib.com
Cheers!
Top comments (0)