The latest articles on DEV Community by Aziz Zoaib (@azizzoaib786). https://dev.to/azizzoaib786 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F865258%2Fd3d6ec40-8f02-4598-8487-6dce8bf97b7c.jpeg https://dev.to/azizzoaib786 en Aziz Zoaib Sun, 28 Jun 2026 17:19:32 +0000 https://dev.to/azizzoaib786/kubernetes-136-8-features-worth-your-attention-1kkb https://dev.to/azizzoaib786/kubernetes-136-8-features-worth-your-attention-1kkb <p><strong>Kubernetes 1.36 (Haru)</strong> brings around 70 enhancements, ranging from security improvements to new scheduling capabilities. While most release summaries try to cover everything, I wanted to focus on the features that stood out to me as someone working with Kubernetes platforms on a daily basis.</p> <p>These are the features I believe Platform Engineers, SREs, and Kubernetes administrators should pay attention to.</p> <h2> 1. Mutating Admission Policies are Finally GA </h2> <p>One of the most practical improvements in Kubernetes 1.36 is the graduation of Mutating Admission Policies to General Availability.<br> Traditionally, if you wanted to automatically add labels, inject sidecars, or enforce organization-wide defaults, you needed an admission webhook.</p> <p>That meant:</p> <ul> <li>Running another service</li> <li>Managing TLS certificates</li> <li>Monitoring webhook availability</li> <li>Debugging API server timeouts</li> </ul> <p>With Mutating Admission Policies, many of these use cases can now be handled directly inside the Kubernetes API server using CEL expressions.</p> <p>**Why it matters<br> A failed webhook can block workload creation across an entire cluster. Eliminating that dependency reduces operational complexity and removes a common failure point.</p> <h2> 2. User Namespaces are GA </h2> <p>User Namespaces have been in development for years and are finally considered production ready in Kubernetes 1.36.<br> Without User Namespaces, a process running as root inside a container is also root from the perspective of the host operating system.</p> <p>With User Namespaces enabled, root inside the container is mapped to an unprivileged user on the node. Even if a container escape vulnerability is exploited, the attacker gains significantly fewer privileges.</p> <p><strong>Example</strong></p> <p><code>spec:<br> hostUsers: false</code></p> <p>**Why it matters<br> This is one of the biggest container isolation improvements Kubernetes has delivered in recent years.</p> <h2> 3. Fine-Grained Kubelet Authorization </h2> <p>Many monitoring and troubleshooting tools previously required broad access through the nodes/proxy permission.<br> Kubernetes 1.36 introduces fine-grained kubelet authorization, allowing access to specific endpoints without granting excessive permissions.</p> <p><strong>Why it matters</strong><br> This makes RBAC cleaner and follows the principle of least privilege.</p> <h2> 4. Node Log Query </h2> <p>If you've ever SSHed into a worker node just to inspect kubelet logs, you'll appreciate this feature.<br> Kubernetes now supports retrieving node logs through the Kubernetes API.</p> <p><strong>Example</strong><br> <code>kubectl get --raw "/api/v1/nodes/node-1/logs?query=kubelet"</code></p> <p><strong>Why it matters</strong><br> Less SSH access. Faster troubleshooting. Easier automation.</p> <h2> 5. OCI Volume Support is Stable </h2> <p>This is one of my favorite additions.<br> Kubernetes can now mount content directly from OCI registries as a volume source.</p> <p>Instead of packaging everything into container images or maintaining separate storage systems, teams can distribute:</p> <ul> <li>ML models</li> <li>Static assets</li> <li>Configuration bundles</li> <li>Reference datasets</li> </ul> <p>using the same OCI registries they already use for containers.</p> <p><strong>Why it matters</strong><br> It simplifies distribution and keeps everything versioned in one place.</p> <h2> 6. PSI Metrics are Stable </h2> <p>Pressure Stall Information (PSI) metrics provide visibility into resource contention for CPU, memory, and I/O.<br> Traditional metrics might show a node at 60% CPU utilization.<br> PSI tells you whether workloads are actually waiting for resources.</p> <p><strong>Why it matters</strong><br> This helps identify noisy neighbors and improves resource tuning decisions.</p> <h2> 7. Resource Health Status </h2> <p>Kubernetes now provides better visibility into hardware and device health through Resource Health Status.</p> <p>This is especially useful when running:</p> <ul> <li>GPUs</li> <li>AI workloads</li> </ul> <p><strong>Why it matters</strong><br> Troubleshooting hardware-related issues becomes much easier.</p> <h2> 8. Mutable Suspended Jobs </h2> <p>Previously, if you wanted to change resource requests for a suspended Job, you often had to recreate it.<br> Kubernetes 1.36 allows resource requests and limits to be updated while the Job remains suspended.</p> <p><strong>Why it matters</strong><br> This gives platform teams more flexibility when managing batch workloads and scheduled processing jobs.</p> <p><strong>Let's Connect</strong><br> Thank you for reading.</p> <p>If you're building cloud-native platforms, working with AWS, Kubernetes, OpenShift, Terraform, or Platform Engineering, I'd love to hear about your experiences and learn from your journey.</p> <p>You can find more of my work at:<br> 🌐 <a href="https://azizzoaib.com" rel="noopener noreferrer">https://azizzoaib.com</a></p> <p>For questions, feedback, collaboration opportunities, or simply to connect, feel free to reach out at:<br> 📧 <a href="mailto:me@azizzoaib.com">me@azizzoaib.com</a></p> <p>Cheers!</p> kubernetes aws devops sre