Kubernetes v1.36: Security Defaults Tighten as AI Workload Support Matures

2026-05-14 · Source: InfoQ · Field: Technology & Digital — Cloud Computing & IT Infrastructure, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Advanced, medium

Summary

Kubernetes v1.36, codenamed Haru, was released on May 14, 2026, introducing 70 enhancements, with 18 stable, 25 beta, and 25 alpha features. This release significantly tightens security defaults, matures support for AI and machine learning workloads, and improves API scalability. Key security advancements include User Namespaces and Mutating Admission Policies reaching General Availability, enhancing container isolation and simplifying policy definition. For AI/ML, Dynamic Resource Allocation (DRA) enhancements are now enabled by default, replacing the integer-GPU model with primitives for partitioned and shared accelerators. Workload-Aware Preemption, an alpha feature, addresses partial preemption failures for distributed training jobs by treating PodGroups as single preemption units. Additionally, sharded list and watch streams are introduced as an alpha feature to alleviate watch stream bottlenecks in large clusters.

Key takeaway

For CTOs and VPs of Engineering managing large-scale Kubernetes deployments, v1.36 offers critical security and AI/ML workload improvements. You should prioritize upgrading to leverage User Namespaces and Mutating Admission Policies for enhanced security, and enable DRA features to optimize GPU utilization for AI workloads. Be aware of removals like `gitRepo` and IPVS mode in kube-proxy, planning migrations before upgrading to avoid disruption and ensure continued operational stability.

Key insights

Kubernetes v1.36 enhances security, AI/ML workload management, and API scalability through new stable and beta features.

Principles

• Prioritize least-privilege access control.
• Simplify policy definition with native Kubernetes objects.
• Optimize resource allocation for modern accelerators.

Method

Mutating Admission Policies use Common Expression Language (CEL) for native mutation logic, eliminating external webhook servers. SELinux Volume Labeling applies labels at mount time via `mount -o context=XYZ` to reduce pod startup delays.

In practice

• Migrate `gitRepo` volume plugins to init containers.
• Adopt Mutating Admission Policies for native mutation logic.
• Utilize DRA for fine-grained accelerator partitioning.

Topics

• Kubernetes v1.36
• Security Hardening
• AI Workloads
• Machine Learning
• Dynamic Resource Allocation

Code references

• kubernetes/kubernetes

Best for: CTO, VP of Engineering/Data, AI Architect, MLOps Engineer, AI Engineer, DevOps Engineer

Related on AIssential

• Kubernetes in the Age of AI — Kubernetes is the unified orchestration layer for both traditional and compute-intensive AI workloads, including generative and agentic AI.
• Get Real-Time Visibility into GPU Usage Across Kubernetes Clusters — The GPU Usage Monitor provides integrated, real-time GPU observability for Kubernetes, preventing over-provisioning and scheduling delays.
• Optimizing ML Compute & Orchestration with H2O MLOps | Part 17 — Kubernetes orchestrates AI workloads, enabling resource management, cost optimization, and infrastructure autoscaling.
• Validate Kubernetes for GPU Infrastructure with Layered, Reproducible Recipes — AI Cluster Runtime simplifies Kubernetes configuration for AI workloads via validated, version-locked, and reproducible recipes.
• AI-Assisted Migration Tool Helps Teams Move from ingress-nginx to Higress in Minutes — AI-assisted tools automate Kubernetes infrastructure migrations, transforming manual reconstruction into validation.
• Kubernetes Autoscaling Demands New Observability Focus Beyond Vendor Tooling — Modern Kubernetes autoscaling requires observability focused on provisioning intelligence, not just static infrastructure health.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.