Last checked and updated on 10 Jun 2026
What Is New in Kubernetes 1.36
Kubernetes 1.36 delivers a substantial set of enhancements focused on node operations, storage, security, and API maturity. This release introduces long-awaited features like the ability to change volume size and IOPS for AWS EBS volumes and brings several key APIs to general availability.
| Category | Key Highlights |
|---|---|
| New Features | In-Place Resize of AWS EBS Volumes, Node Lifecycle Controller, Structured Authentication Configuration, Container Resource Based Pod Autoscaling (CRPA) |
| Graduations to Stable | PodReadyToStartContainers Condition, Service Node Port Dynamic Allocation, Legacy ServiceAccount Token Cleanup, KMS V2 Encryption |
| Improvements & Changes | Kubelet Separate Garbage Collection, Faster SELinux Mount Labeling, CEL for Admission Control, Kubernetes Builds with Go 1.22 |
| Deprecations & Removals | Kubernetes API Server Identity (alpha) Removed, '--container-runtime' Flag Deprecated, 'pods' Subresource in Node Authorizer Deprecated |
How does Kubernetes 1.36 improve storage operations?
The headline feature for storage is the alpha support for in-place resize of PersistentVolumes for AWS Elastic Block Store (EBS). Previously, resizing an EBS volume required a complex, pod-disrupting process. Now, you can dynamically adjust both the size and IOPS of a volume without needing to restart the pod that's using it.
This is a game-changer for stateful workloads. You can now respond to changing storage needs on-the-fly, which is crucial for databases and other data-intensive applications. The feature requires the InPlaceResize feature gate to be enabled and works with the EBS CSI driver.
What node management enhancements are included?
Node management gets a significant upgrade with the new Node Lifecycle Controller, which graduates to beta. This controller streamlines how Kubernetes handles node heartbeats and the node lease API, making the system more reliable and easier to reason about during node failures.
Another key node-level improvement is the separation of image and container garbage collection in the Kubelet. This allows for more granular control over cleanup policies, letting you configure thresholds for evicting unused images and dead containers independently. In practice, this prevents one type of resource pressure from prematurely triggering the cleanup of another.
Which APIs have graduated to stable in this release?
Several critical APIs have reached general availability (GA) in 1.36. The PodReadyToStartContainers condition provides a more precise signal about a pod's initialization state, which is invaluable for debugging startup sequences.
Service NodePort dynamic allocation is now stable, allowing the API server to assign a port from a range if a specific port isn't requested. The automatic cleanup of legacy ServiceAccount tokens also moves to GA, enhancing cluster security by reducing attack surface. Finally, KMS v2 encryption becomes stable, offering performance improvements for etcd data encryption at rest.
Are there new ways to control pod autoscaling?
Yes, the alpha Container Resource Based Pod Autoscaling (CRPA) feature introduces a new approach. Unlike Horizontal Pod Autoscaler (HPA) which scales based on the average resource usage across all pods, CRPA can scale based on the resource usage of individual containers within a pod.
This matters for pods with multiple containers that have vastly different resource profiles. For example, if a sidecar container is hitting its CPU limit but the main app container is idle, HPA might not trigger a scale-up. CRPA is designed to handle these scenarios more intelligently.
What security improvements should I be aware of?
Structured Authentication Configuration moves to beta, providing a declarative way to configure multiple authentication methods in a single file. This simplifies management and makes cluster auth setup more maintainable compared to the traditional command-line flags.
Performance gets a security boost with faster SELinux volume relabeling. The Kubelet now uses a faster implementation, significantly reducing the pod startup time overhead when using SELinux, especially on nodes with many volumes.
FAQ
Can I now resize my AWS EBS volumes without restarting the pod?
Yes, but it's an alpha feature in 1.36. You need to enable the InPlaceResize feature gate and use the EBS CSI driver. This allows you to change both the size and IOPS of a volume while it's in use.
What is the Node Lifecycle Controller and why is it useful?
It's a new controller (beta) that manages node heartbeats and leases. It makes node lifecycle operations more robust and predictable, especially during network partitions or node failures, by providing a clearer picture of node health.
My pod has a busy sidecar and a idle main container. Will HPA scale it?
Traditional HPA might not, as it looks at pod-wide averages. The new alpha Container Resource Based Pod Autoscaling (CRPA) is designed for this exact scenario, allowing scaling based on the needs of individual containers within a pod.
Is legacy ServiceAccount token cleanup now on by default?
Yes, the feature has graduated to stable (GA). This means the automatic cleanup of Secret-based service account tokens is enabled by default, improving cluster security by removing unused tokens.
How does Kubernetes 1.36 improve startup time for pods with SELinux?
It incorporates a much faster implementation for SELinux volume relabeling within the Kubelet. This change drastically reduces the time it takes to start a pod on a node with SELinux enabled and multiple volumes.