Container Service for Kubernetes:ACK Kubernetes 1.35 release notes

Component versions

Feature changes

Security

• User Namespaces (Beta): Reduces the risk of privilege escalation from a container escape by running a pod in a user namespace isolated from the host. Container processes can run as root (UID 0) within their namespace but are mapped to an unprivileged, non-zero user ID on the host. See User Namespaces.

• Pod Certificates (Beta, disabled by default): Lets pods generate certificates for mutual authentication with the kube-apiserver, with support for automatic certificate rotation. This is more secure than traditional ServiceAccount tokens. See KEP-4317: Pod Certificates.

• KubeletEnsureSecretPulledImages (Beta, enabled by default): Prevents unauthorized image access in multi-tenant clusters by enforcing credential checks for pods that use imagePullPolicy: IfNotPresent. Without this feature, a pod without credentials could access a cached private image previously pulled by a credentialed pod on the same node.

• CSI ServiceAccount tokens via Secrets: Set spec.serviceAccountTokenInSecrets to true in the CSIDriver object to mount ServiceAccount tokens through a Secret instead of placing them directly in the volume context. This prevents credentials from appearing in logs and error messages. See CSI driver opt-in for service account tokens via secrets field.

Networking

• PreferSameNode for service traffic distribution (GA): Routes traffic to endpoints on the same node, falling back to other nodes only when no local endpoints are available. The feature gate PreferSameTrafficDistribution has been enabled by default since version 1.34 and supports both PreferSameNode and PreferSameZone. The original PreferClose option has been renamed to PreferSameZone.

Workloads and scheduling

• MaxUnavailableStatefulSet (Beta, enabled by default): Enables parallel pod updates for stateful workloads by setting the maxUnavailable field in a StatefulSet rolling update policy. This controls the maximum number of unavailable pods during an update.

• ContainerRestartRules (Beta, enabled by default): Enables container-level restart policy configuration. Override the pod-level restart policy by specifying the restartPolicy and restartPolicyRules fields per container. See Individual container restart policy and rules.

• PodObservedGenerationTracking (GA): Lets controllers and Operators accurately determine whether a pod change—such as an in-place resource update—has taken effect on the node. When a pod's spec is updated, its .metadata.generation field increments, and the kubelet records the processed spec version in .status.observedGeneration. This prevents false readings caused by status update delays.

• Opportunistic batching for the scheduler: The scheduler caches intermediate scheduling results, significantly improving scheduling throughput for similar pods. See Opportunistic batching.

• HPA configurable tolerance threshold: The behavior field of HorizontalPodAutoscaler (HPA) now supports a configurable tolerance threshold. Previously, scaling decisions used a fixed global tolerance of 10%. Configure this threshold to match your workload requirements.

• Deployment terminatingReplicas field: The Deployment object now exposes a terminatingReplicas field that records the number of pods with a deletion timestamp that have not yet been fully removed.

Storage

• MutableCSINodeAllocatableCount (enabled by default): Fixes a scheduling issue where stale allocatable volume counts caused pods to be scheduled on nodes with insufficient volume capacity, leaving them stuck in ContainerCreating. Container Storage Interface (CSI) drivers can now periodically update the number of allocatable volumes on a node.

• ImageVolume (enabled by default): Lets you mount the contents of a container image as a read-only volume in a pod using volumes of type image. Requires containerd 2.1 or later.

• StorageVersionMigrator (Beta, disabled by default): Moves Storage Version Migration from an external tool to an internal Kubernetes implementation. See Move Storage Version Migrator in-tree.

Node management

• max-allowable-numa-nodes topology manager policy option (GA): The topology manager can now correctly calculate affinity on servers with more than 8 NUMA nodes. See max-allowable-numa-nodes.

• Downward API node topology label injection: Inject node topology labels—such as topology.kubernetes.io/zone and topology.kubernetes.io/region—directly into pods via the Downward API.

CLI and tooling

• Kubectl KYAML support: kubectl now supports the KYAML format, a subset of YAML designed for Kubernetes that addresses ambiguities and security vulnerabilities in standard YAML parsing. Disable with KUBECTL_KYAML=false. See Introducing KYAML.

Bug fixes

• CVE fixes in 1.35.2-aliyun.1: Version 1.35.2-aliyun.1 fixes CVE-2025-61732 and CVE-2025-68121.

Deprecation notes

• kube-proxy ipvs mode (deprecated): The ipvs mode for kube-proxy is deprecated in v1.35 and will be removed in a future version. Migrate to nftables mode, which has been stable since v1.33. ACK continues to use ipvs by default for new clusters. As an alternative, use Terway Datapath V2, which does not rely on kube-proxy.

• containerd 1.x (end of support): Kubernetes 1.35 is the last version to support containerd 1.x. Upgrade containerd to 2.x before upgrading to Kubernetes 1.36 or later. ACK clusters have used containerd 2.x by default since version 1.33. For more information, see Introduction to containerd 2.1.

References

For the complete Kubernetes 1.35 changelog, see CHANGELOG-1.35 and Kubernetes v1.35: Timbernetes (The World Tree Release).