All Products
Search

This Product

    Container Service for Kubernetes:ACK release notes for Kubernetes 1.36

    Document Center

    Container Service for Kubernetes:ACK release notes for Kubernetes 1.36

    Last Updated:Jun 06, 2026

    Alibaba Cloud Container Service for Kubernetes (ACK) is certified as Kubernetes conformant. This document describes the major changes, feature updates, and deprecations for Kubernetes 1.36 on ACK, as well as upgrade notices and component versions.

    Component versions

    The following table lists the versions of core components in an ACK cluster.

    Core component

    Version

    Kubernetes

    1.36.1-aliyun.1

    etcd

    v3.6.10

    containerd

    2.1.6

    CoreDNS

    v1.12.1.3

    CSI

    Upgraded to the latest supported version. For details, see the change logs for csi-plugin and csi-provisioner.

    CNI

    Flannel v0.28.0.6

    Terway and TerwayControlplane v1.15.0 or later

    Major changes

    • In Kubernetes 1.36, the .spec.externalIPs field for Services is deprecated and is scheduled for removal in v1.43. This field is a long-known security vulnerability, exposing cluster traffic to man-in-the-middle attacks, as documented in CVE-2020-8554. If you are using this field, migrate to an alternative as soon as possible.

    • For new clusters running Kubernetes 1.36, the default version of the Gateway API component changes from 1.3.0 to 1.5.1. Because Gateway API 1.5.1 deprecates the v1alpha2 version of the TLSRoute API, Alibaba Cloud Service Mesh (ASM) instances of v1.25 and earlier and Istio versions earlier than 1.29.2 are incompatible.

      When you upgrade an existing cluster to Kubernetes 1.36, the Gateway API component is not automatically upgraded. To upgrade the component manually, see Gateway API.

    Feature updates

    • The VolumeGroupSnapshot feature is now Generally Available (GA). It allows you to create a consistent snapshot across multiple persistent volume claims simultaneously, reducing the risk of data inconsistency caused by asynchronous snapshots.

    • The Mutable CSINode allocatable feature is now GA. It allows a CSI driver to dynamically update the number of volumes that can be attached to a node. This prevents scheduling inaccuracies or attachment failures caused by outdated volume attachment limits.

    • Key Dynamic Resource Allocation (DRA) features are now GA, including DRA admin access and prioritized lists. These provide a long-term, stable API foundation for global hardware resource management and a consistent, predictable resource selection logic. Additionally, some highly anticipated features have graduated to Beta. For more information, see Kubernetes 1.36 DRA Updates.

    • MutatingAdmissionPolicies is now GA. This feature allows administrators to define resource mutation rules directly in the API server by using Common Expression Language (CEL). It provides a native alternative to traditional admission webhooks in many scenarios, reducing network and operational overhead while ensuring more predictable cluster behavior.

    • The UserNamespacesSupport feature is now GA. It is enabled by default and lets Pods use Linux user namespaces for enhanced security. This change does not affect existing Pods. You can manually specify pod.spec.hostUsers to opt in or out of this feature.

    • KubeletPSI graduates to Beta. This feature lets the kubelet expose Pressure Stall Information (PSI) metrics through the Summary API and Prometheus metrics.

    • This release introduces staleness mitigation for controllers. This improvement prevents incorrect operations that can occur when a controller acts on stale cached data.

    • The StrictIPCIDRValidation feature graduates to Beta. It strengthens validation for IP and CIDR fields in the API, enabling earlier detection of malformed addresses and network segments. This helps prevent subtle configuration issues or security risks in resources like Services, Pods, and NetworkPolicies caused by invalid IP addresses or CIDRs.

    • MutablePodResourcesForSuspendedJobs graduates to Beta and is enabled by default. This feature lets you modify the CPU, memory, GPU, and extended resource requests and limits of a container when its Job is suspended.

    • ConstrainedImpersonation, which graduates to Beta, aligns the user impersonation mechanism with the principle of least privilege. When enabled, the impersonator must have permissions to both impersonate a specific identity and perform the intended actions as that identity.

    • ComponentStatusz graduates to Beta and is enabled by default. It provides a /statusz endpoint for core Kubernetes components to display real-time build and version information, such as startup time, uptime, Go version, binary version, and compatibility version. This helps operators and developers quickly understand the current running status.

    • ComponentFlagz graduates to Beta and is enabled by default. It provides a unified /flagz endpoint for core Kubernetes components that displays the command-line parameters in effect at startup. This helps operators and developers troubleshoot configuration issues or verify that parameter changes are applied after a restart.

    Deprecations

    • In Kubernetes 1.36, the .spec.externalIPs field for Services is deprecated and is scheduled for removal in v1.43. If you are using this field, migrate to an alternative as soon as possible.

    • Starting in Kubernetes 1.36, the gitrepo volume plugin is permanently disabled. We recommend using alternatives such as an init container or an external git-sync tool.

    References