{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreickgazbk25b7yfuvftn56miyjq7f2m4syba53wdg7uinbs374ohkm",
    "uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mpek56vi2dq2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreidwfublrooikvetqg2p4zjtlcb6xvf2oppfbi352nwer4g6c2vh4m"
    },
    "mimeType": "image/webp",
    "size": 31464
  },
  "path": "/azizzoaib786/kubernetes-136-8-features-worth-your-attention-1kkb",
  "publishedAt": "2026-06-28T17:19:32.000Z",
  "site": "https://dev.to",
  "tags": [
    "kubernetes",
    "aws",
    "devops",
    "sre",
    "https://azizzoaib.com"
  ],
  "textContent": "**Kubernetes 1.36 (Haru)** brings around 70 enhancements, ranging from security improvements to new scheduling capabilities. While most release summaries try to cover everything, I wanted to focus on the features that stood out to me as someone working with Kubernetes platforms on a daily basis.\n\nThese are the features I believe Platform Engineers, SREs, and Kubernetes administrators should pay attention to.\n\n##  1. Mutating Admission Policies are Finally GA\n\nOne of the most practical improvements in Kubernetes 1.36 is the graduation of Mutating Admission Policies to General Availability.\nTraditionally, if you wanted to automatically add labels, inject sidecars, or enforce organization-wide defaults, you needed an admission webhook.\n\nThat meant:\n\n  * Running another service\n  * Managing TLS certificates\n  * Monitoring webhook availability\n  * Debugging API server timeouts\n\n\n\nWith Mutating Admission Policies, many of these use cases can now be handled directly inside the Kubernetes API server using CEL expressions.\n\n**Why it matters\nA failed webhook can block workload creation across an entire cluster. Eliminating that dependency reduces operational complexity and removes a common failure point.\n\n##  2. User Namespaces are GA\n\nUser Namespaces have been in development for years and are finally considered production ready in Kubernetes 1.36.\nWithout User Namespaces, a process running as root inside a container is also root from the perspective of the host operating system.\n\nWith User Namespaces enabled, root inside the container is mapped to an unprivileged user on the node. Even if a container escape vulnerability is exploited, the attacker gains significantly fewer privileges.\n\n**Example**\n\n`spec:\nhostUsers: false`\n\n**Why it matters\nThis is one of the biggest container isolation improvements Kubernetes has delivered in recent years.\n\n##  3. Fine-Grained Kubelet Authorization\n\nMany monitoring and troubleshooting tools previously required broad access through the nodes/proxy permission.\nKubernetes 1.36 introduces fine-grained kubelet authorization, allowing access to specific endpoints without granting excessive permissions.\n\n**Why it matters**\nThis makes RBAC cleaner and follows the principle of least privilege.\n\n##  4. Node Log Query\n\nIf you've ever SSHed into a worker node just to inspect kubelet logs, you'll appreciate this feature.\nKubernetes now supports retrieving node logs through the Kubernetes API.\n\n**Example**\n`kubectl get --raw \"/api/v1/nodes/node-1/logs?query=kubelet\"`\n\n**Why it matters**\nLess SSH access. Faster troubleshooting. Easier automation.\n\n##  5. OCI Volume Support is Stable\n\nThis is one of my favorite additions.\nKubernetes can now mount content directly from OCI registries as a volume source.\n\nInstead of packaging everything into container images or maintaining separate storage systems, teams can distribute:\n\n  * ML models\n  * Static assets\n  * Configuration bundles\n  * Reference datasets\n\n\n\nusing the same OCI registries they already use for containers.\n\n**Why it matters**\nIt simplifies distribution and keeps everything versioned in one place.\n\n##  6. PSI Metrics are Stable\n\nPressure Stall Information (PSI) metrics provide visibility into resource contention for CPU, memory, and I/O.\nTraditional metrics might show a node at 60% CPU utilization.\nPSI tells you whether workloads are actually waiting for resources.\n\n**Why it matters**\nThis helps identify noisy neighbors and improves resource tuning decisions.\n\n##  7. Resource Health Status\n\nKubernetes now provides better visibility into hardware and device health through Resource Health Status.\n\nThis is especially useful when running:\n\n  * GPUs\n  * AI workloads\n\n\n\n**Why it matters**\nTroubleshooting hardware-related issues becomes much easier.\n\n##  8. Mutable Suspended Jobs\n\nPreviously, if you wanted to change resource requests for a suspended Job, you often had to recreate it.\nKubernetes 1.36 allows resource requests and limits to be updated while the Job remains suspended.\n\n**Why it matters**\nThis gives platform teams more flexibility when managing batch workloads and scheduled processing jobs.\n\n**Let's Connect**\nThank you for reading.\n\nIf you're building cloud-native platforms, working with AWS, Kubernetes, OpenShift, Terraform, or Platform Engineering, I'd love to hear about your experiences and learn from your journey.\n\nYou can find more of my work at:\n🌐 https://azizzoaib.com\n\nFor questions, feedback, collaboration opportunities, or simply to connect, feel free to reach out at:\nšŸ“§ me@azizzoaib.com\n\nCheers!",
  "title": "Kubernetes 1.36: 8 Features Worth Your Attention"
}