Kubernetes 1.36 (Haru) went GA on April 22, 2026. The release theme reads as "push complexity into the core platform": less external glue (admission webhooks, metrics adapters, custom log shippers), more built-in endpoints and CEL inside the API server. For a platform team that means parts of the usual zoo of sidecar services can finally be retired — but not everywhere blog posts call something "GA." It's worth cross-checking the official feature-gates table, because roughly half of the 1.36 round-ups already disagree with reality.
Mutating webhooks have started dying
MutatingAdmissionPolicy reached GA — mutation now lives as a CEL expression inside kube-apiserver. No external HTTP webhook, no TLS rotation, no separate pods, no up{job="...-webhook"} dashboards, no timeouts. An entire class of incidents goes away in one release: an expired cert, an unreachable Gatekeeper, a latency spike on admission that takes down every CREATE/UPDATE in the cluster.
That does not mean Kyverno and Gatekeeper leave tomorrow. Complex policies with cross-object lookups, resource generation, and image verification still belong to external engines. But boilerplate mutations like "inject HTTP_PROXY into every pod in this namespace" now live natively in the API server and can be tested on staging without curling a webhook.
Ingress NGINX has been retired
On March 24, 2026 SIG Network together with the Security Response Committee declared ingress-nginx retired: no releases, no bug fixes, no security patches. Existing installs keep serving traffic — this is not a kill switch. But annotation-heavy configs are now technical debt with a ticking clock. Target options: Envoy Gateway, Cilium Gateway, ALB/Lattice on cloud providers, with Gateway API as the abstraction layer. The migration audit starts with an inventory: how many annotation features are actually in use, and how many of them map 1:1 onto Gateway API. Often it turns out 80% of annotations are rewrite-target and proxy-buffer-size — those move quickly.
HPA Scale-to-Zero is alpha, not GA
This is where the most noise lives. The HPAScaleToZero feature gate has been alpha since K8s 1.16 and in 1.36 it stays alpha, default false. Several round-ups claim the opposite — that is misinformation. Verify against the feature-gates docs, not Medium.
What actually works in 1.36 once you flip --feature-gates=HPAScaleToZero=true on kube-apiserver: HPA can natively drive minReplicas: 0 for Object and External metrics (for example, sqs_queue_length), but not for CPU/memory. A metrics adapter is still required. In practice this means KEDA stays relevant, because its scaler catalog covers every source that the Kubernetes-native metrics chain doesn't. The combo "Karpenter + HPA scale-to-zero + a KEDA source" is the serverless Kubernetes people have been waiting for since 2019.
User Namespaces GA — the biggest security win in years
A container's root maps to an unprivileged user on the host. A container breakout in the runc-CVE style lands in a sandbox with zero privileges instead of host root. For multi-tenant clusters this is the most material threat-model change in several years. You enable it with userNamespaces: true in the pod spec plus kernel ≥ 6.5 on the nodes. EKS/GKE standard AMIs already ship that; on bare metal and Talos, verify before assuming.
Quiet operational maturity
A handful of things that do not make headlines but do change day-2:
- In-Place Vertical Pod Scaling now works even with
StaticCPU Manager policy: VPA mutatesrequests/limitswith no restart and no loss of CPU pinning. For high-perf workloads VPA finally becomes truly non-disruptive. - Ephemeral Service Account Tokens for image pulls (KEP-2535, GA): kubelet negotiates a short-lived OIDC token with the registry, scoped to the pod's lifecycle, instead of a long-lived
imagePullSecret. One fewer zero-trust artifact in the Secret store. - PSI metrics GA: Pressure Stall Information from the Linux kernel ends up directly in kubelet metrics. Instead of "memory at 95%" (which may well be file cache) you finally see "how long tasks actually stall waiting for a resource." Fewer false-positive NodeNotReady events, sharper VPA tuning.
- Node Log Query GA:
kubectl get --raw "/api/v1/nodes/<node>/proxy/logs/?query=kubelet"— system logs without SSH on the node. Requires theNodeLogQuerygate plusenableSystemLogQueryin kubelet config. - Fine-Grained Kubelet Authz GA: instead of the coarse
system:kubelet-api-adminthere are now granular verbs per subresource (nodes/proxy/logs— get,nodes/proxy/exec— deny). Audit accounts get read-only without a full admin grant on kubelet.
What will silently break on upgrade
gitRepovolume is permanently disabled: manifests withgitRepo:produce broken pods. The fix is moving the build into CI and mounting the artifact.- IPVS mode kube-proxy has been removed (it was deprecated in 1.35). Migrate to iptables with the nftables backend, or to Cilium/eBPF.
- 1.36 is the last release with containerd 1.6 support. Plan a containerd 2.x bump alongside the upgrade.
service.spec.externalIPsnow emits warnings: the path to removal. Move to an Ingress controller or Gateway API.
A one-month triage
Adopt early: MutatingAdmissionPolicy GA, User Namespaces GA, Suspended Job mutability, Fine-Grained Kubelet Authz. Adopt selectively: DRA for GPU-heavy workloads, OCI artifact volumes, In-Place VPA (if you're already on VPA). Watch, don't rush: HPA scale-to-zero (still alpha, needs a feature gate), Mixed Version Proxy (beta), Smarter HPA Pod Selection (alpha). Before kubeadm upgrade, the mandatory pair is kubent + Pluto against manifests and Helm charts; deprecated-API leaks exist in most clusters and only surface during the upgrade itself.