All Products
Search

This Product

    Container Service for Kubernetes:ACK Releases Kubernetes 1.35 Version Guide

    Document Center

    Container Service for Kubernetes:ACK Releases Kubernetes 1.35 Version Guide

    Last Updated:Mar 01, 2026

    Alibaba Cloud Container Service for Kubernetes is a certified Kubernetes-conformant service. This topic describes the major changes in the Kubernetes 1.35 release for ACK, including upgrade considerations, major changes, new features, deprecated features and APIs, and feature gates.

    Component Version Guide

    The following table shows the supported versions of core components in ACK clusters.

    Core Component

    Version Number

    Kubernetes

    1.35.1-aliyun.1

    etcd

    v3.5.21

    containerd

    2.1.5

    CoreDNS

    v1.12.1.2

    CSI

    Upgrade to the latest supported version of the component. For more information, see the component change records for csi-plugin and csi-provisioner.

    CNI

    Flannel v0.15.1.23-33d25c1-aliyun

    Terway and TerwayControlplane are v1.15.0 or later

    Major Changes

    • As of version 1.35, Kubernetes no longer supports cgroup v1. Support for cgroup v2 became stable in version 1.25. Node operating systems must support cgroup v2. Otherwise, the kubelet will not start.

      For information about cgroup version support for ACK operating system images, see Operating System. For information about how to replace or upgrade an operating system, see Replace an Operating System.

    Feature Changes

    • The PreferSameNode option in the trafficDistribution field of a Service is now generally available (GA). This option prioritizes routing traffic to endpoints on the same node. It falls back to other nodes only when no endpoints are available on the current node.

      The PreferSameTrafficDistribution feature gate for this feature has been enabled by default since version 1.34. It supports both PreferSameNode and PreferSameZone. The original PreferClose option has been renamed to PreferSameZone.

    • PodObservedGenerationTracking is now stable. When a Pod's spec updates, its .metadata.generation increments. Kubelet records the processed spec version in the Pod's .status.observedGeneration field. This helps controllers and operators accurately determine if Pod changes (such as in-place scaling) have taken effect on the node. This avoids issues caused by delayed status updates.

    • The node topology manager policy option max-allowable-numa-nodes (max-allowable-numa-nodes) is now stable. The topology manager can correctly calculate affinity on servers with more than 8 NUMA nodes.

    • The Downward API now supports injecting node topology labels, such as topology.kubernetes.io/zone and topology.kubernetes.io/region, into Pods.

    • StorageVersionMigrator is now in Beta and disabled by default. This feature moves Storage Version Migration capabilities from external tools to an internal Kubernetes implementation. For more information, see Move Storage Version Migrator in-tree.

    • MutableCSINodeAllocatableCount is now enabled by default. This feature allows CSI drivers to periodically update the number of allocatable volumes on a node. This helps prevent Pods from being scheduled on nodes with insufficient volume capacity and becoming stuck in the ContainerCreating state, which can occur when a node's allocatable volume capacity is not updated promptly.

    • The introduction of Opportunistic batching allows the scheduler to cache intermediate scheduling results. This significantly improves the scheduling throughput for similar Pods.

    • MaxUnavailableStatefulSet is now in Beta and enabled by default. This feature lets you set the maxUnavailable field in the rolling update strategy for a StatefulSet. This field specifies the maximum number of unavailable Pods during an update.

    • The Pod Certificates feature is now in Beta and disabled by default. This feature supports generating certificates for Pods to perform mutual authentication with the kube-apiserver. It also supports automatic certificate rotation, which provides a more secure authentication method than traditional ServiceAccount tokens. For more information, see KEP-4317: Pod Certificates.

    • kubectl now supports the KYAML format. KYAML is a subset of YAML designed for Kubernetes to resolve ambiguities and security issues that can occur during standard YAML parsing. You can disable this feature by setting the KUBECTL_KYAML=false environment variable. For more information, see Introducing KYAML.

    • The behavior field of the HorizontalPodAutoscaler (HPA) now supports configurable tolerance thresholds. Previously, scaling decisions relied on a fixed global tolerance of 10%. Now, you can configure the threshold flexibly to meet your requirements.

    • User Namespaces (User Namespaces) is now in Beta. This feature allows Pods to run in a user namespace that is isolated from the host. Container processes can run as root (UID 0) within their namespace but are mapped to a non-privileged, non-zero user ID on the host. This reduces the security risk of privilege escalation that can result from a container escape.

    • The ImageVolume feature is now enabled by default. It lets you use image type volumes in Pods. This volume type mounts the content of a container image as a read-only volume into the Pod. To use this feature, your containerd version must be 2.1 or later.

    • KubeletEnsureSecretPulledImages is now in Beta and enabled by default. This feature enhances multi-tenant cluster security by enforcing credential validation for Pods that use imagePullPolicy: IfNotPresent. This prevents a scenario where a Pod with credentials pulls a private image to a node, and then other Pods on the same node without credentials can access that sensitive image from the local cache.

    • ContainerRestartRules is now in Beta and enabled by default. This feature provides more granular, container-level restart policy configuration. You can override Pod-level restart policies by specifying the restartPolicy and restartPolicyRules fields for individual containers. For more information, see Individual container restart policy and rules.

    • CSI drivers now support setting the spec.serviceAccountTokenInSecrets field to true in the CSIDriver object. This setting mounts ServiceAccount tokens using Secrets instead of placing them directly in the volume context. This helps prevent accidental credential leakage in logs and error messages. For more information, see CSI driver opt-in for service account tokens via secrets field.

    • The Deployment object now includes the terminatingReplicas field. This field records the number of Pods that have a deletion timestamp but have not yet been fully removed from the system.

    Deprecation Notes

    • As of version 1.35, the ipvs mode for kube-proxy is deprecated and scheduled for removal in a future version. The official recommendation is to switch to nftables mode, which has been stable since v1.33. Because nftables mode is relatively new, ACK continues to use ipvs mode by default when you create new clusters. ACK plans to support nftables mode in a subsequent version.

      You can use Terway Datapath V2, which does not rely on kube-proxy.

    • Version 1.35 is the last version that supports containerd 1.x. Before you upgrade to version 1.36 or later, you must upgrade containerd to version 2.x. ACK clusters have used containerd 2.x by default since version 1.33. For more information, see containerd 2.1 Introduction.

    Reference Links

    For the complete changelog for Kubernetes 1.35, see CHANGELOG-1.35 and Kubernetes v1.35: Timbernetes (The World Tree Release).