What to Expect From Kubernetes 1.36

Kubernetes 1.36 arrives on 22 April 2026, continuing the CNCF’s tri‑annual cadence that has become a benchmark for cloud‑native roadmaps. This release places security front‑and‑center, beginning with a hardening of Linux user namespaces that let pods run as root inside the container while mapping to non‑privileged host users, dramatically reducing container‑escape attack vectors. The update also refines the WatchCache component, trimming latency for list and watch operations across the API server. Together, these changes signal a maturing platform that prioritises both performance and isolation for enterprise workloads.

A more visible shift is the retirement of the long‑standing Ingress‑nginx controller, ending official security updates for that code path. Kubernetes now pushes the Gateway API as the primary ingress mechanism, offering role‑oriented resources, cross‑namespace routing, and granular traffic‑splitting that align with modern microservice architectures. Teams will need to refactor manifests and adopt new CRDs, but the payoff includes a cleaner separation between infrastructure and application concerns and a future‑proof networking stack that scales with multi‑tenant environments.

The 1.36 release also stabilises the Dynamic Resource Allocation (DRA) API, introducing taints and tolerations for specialized hardware so clusters can gracefully drain failing devices while preserving workload locality. Coupled with manifest‑based admission‑control configuration, administrators gain immutable policy files that survive pod deletions or etcd outages, tightening the security posture of critical clusters. However, real‑world upgrades remain fraught, as recent 1.35 rollouts showed node‑group disruptions despite thorough testing. Organizations should adopt staged rollouts, comprehensive monitoring, and fallback plans to mitigate the inevitable hiccups of a platform this complex.