Kubernetes v1.36, codenamed Haru (春 — spring in Japanese), shipped on April 22, 2026, and it’s one of the most feature-packed releases in recent memory. With 70 enhancements — 18 graduating to Stable, 25 entering Beta, and 25 new Alpha features — this release touches nearly every layer of the platform. Alongside it, the Gateway API v1.5 landed its biggest update yet, promoting six widely-requested features to Stable.
If you’re running Kubernetes in production, several of these changes directly affect how you architect services, manage security, and route traffic. Let’s break down the features that matter most for real-world systems.
Gateway API v1.5: The End of the Ingress Era
The Gateway API has been steadily replacing the aging Ingress resource, and v1.5 makes the case harder to ignore. Six features graduated to the Standard (GA) channel, but three stand out for production architecture.
ListenerSet: Multi-Tenant Gateway Sharing
Before ListenerSet, all listeners lived on a single Gateway resource. In multi-team environments, this meant every application team needed to coordinate changes to the same object — a bottleneck and a security risk. ListenerSet lets teams define their own listeners independently and attach them to a shared Gateway.
# Infrastructure team defines the shared Gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: shared-gateway
namespace: infra
spec:
gatewayClassName: cilium
allowedListeners:
namespaces:
from: All
listeners:
- name: http-redirect
protocol: HTTP
port: 80
---
# Team A manages their own HTTPS listener
apiVersion: gateway.networking.k8s.io/v1
kind: ListenerSet
metadata:
name: team-a-listeners
namespace: team-a
spec:
parentRef:
name: shared-gateway
namespace: infra
listeners:
- name: https-api
protocol: HTTPS
port: 443
hostname: api.example.com
tls:
certificateRefs:
- name: api-certThis is a significant architectural pattern: a central platform team owns the Gateway infrastructure, while application teams own their routing configuration. It also removes the 64-listener limit per Gateway, which was a real constraint at scale.
TLSRoute: Native L4 Routing
TLSRoute graduates to Stable, giving you native SNI-based routing for non-HTTP traffic. It supports two modes: Passthrough (end-to-end encrypted, Gateway sees nothing) and Terminate (Gateway handles TLS and forwards plaintext). For database proxies, gRPC services, or any TCP workload that needs TLS without HTTP semantics, this eliminates the need for external tools like Envoy’s SNI routing patches.
Built-in CORS Filter
The HTTPRoute CORS filter is now Stable, letting you configure cross-origin policies directly in your routing layer instead of in application code or separate middleware. This keeps security configuration declarative and centrally managed — a small change with outsized impact on operational consistency.
Kubernetes v1.36: Security and Isolation Reach Maturity
Several security-focused features hit GA in this release, and two deserve particular attention from architects designing multi-tenant or regulated environments.
User Namespaces in Pods: GA
After years in development, user namespaces for pods are finally Generally Available. This feature maps a container’s root user (UID 0) to an unprivileged user on the host node. If a process escapes the container, it has zero administrative power over the node.
This is defense-in-depth at the infrastructure level. For anyone running untrusted workloads, multi-tenant platforms, or regulated workloads, this is the most important security feature to enable in v1.36.
Fine-Grained Kubelet API Authorization: GA
Previously, monitoring tools needed the overly broad nodes/proxy permission to scrape kubelet metrics. Fine-grained kubelet authorization lets you grant precise, least-privilege access to specific kubelet API endpoints. This is a meaningful improvement for security-sensitive clusters where RBAC granularity matters.
Workload-Aware Scheduling: Alpha
One of the most architecturally significant alpha features in v1.36 is Workload Aware Scheduling (WAS). The scheduler now treats related pods as a single logical entity through a new PodGroup API and an updated Workload API.
In v1.35, Kubernetes introduced gang scheduling — requiring a minimum number of pods to be schedulable before any were bound. v1.36 goes further with atomic PodGroup scheduling: either all pods in the group are bound to nodes together, or none are. This prevents the partial-scheduling problem that plagued distributed training, batch processing, and multi-service deployments.
While still in Alpha, this is a feature to watch if you’re running ML training workloads, MPI jobs, or any tightly-coupled distributed system on Kubernetes. The architectural implication is significant: Kubernetes is evolving from a container orchestrator into a workload-aware scheduling platform.
Storage and Data Protection
Two storage features reached GA that matter for data-intensive architectures:
Volume Group Snapshots — Take crash-consistent snapshots across multiple PersistentVolumeClaims simultaneously. This is critical for databases that spread across multiple volumes and need point-in-time recovery that’s actually consistent.
Mutable Volume Attach Limits — CSI drivers can now dynamically update the maximum number of volumes a node can handle. The kubelet adjusts these limits based on periodic checks or in response to resource exhaustion, without requiring a restart. This prevents scheduling failures caused by stale volume capacity data.
Declarative Cluster Management Gets Real
MutatingAdmissionPolicies graduated to Stable, giving you a native way to define resource mutations using CEL (Common Expression Language) directly in the API server. No more external admission webhooks for common mutations like injecting labels, setting default resources, or enforcing naming conventions. Lower latency, no network hop, and fully declarative.
Node Log Query also hit GA — you can now query kubelet and kube-proxy logs via kubectl without SSH-ing into nodes. It’s enabled through the NodeLogQuery feature gate and requires services to log to /var/log. A small quality-of-life improvement that saves real debugging time, especially across large clusters.
What This Means for Your Architecture
Kubernetes v1.36 and Gateway API v1.5 together represent a maturation of the platform’s security, routing, and scheduling capabilities. Here’s what to prioritize:
If you’re still using Ingress, start planning your migration to Gateway API. ListenerSet alone solves the multi-tenancy problem that made shared ingress controllers painful. The Ingress2Gateway 1.0 tool (also just announced) can automate the migration.
If you run multi-tenant workloads, enable user namespaces on your nodes. This is the strongest container isolation improvement available in Kubernetes without custom security modules.
If you run ML or batch workloads, keep an eye on Workload Aware Scheduling. While it’s Alpha, the PodGroup API design suggests it will become the standard way to schedule tightly-coupled distributed workloads.
Sources
- Kubernetes v1.36: ハル (Haru) — Official Release Announcement
- Gateway API v1.5: Moving Features to Stable
- Kubernetes v1.36: User Namespaces in Kubernetes are Finally GA
- Kubernetes v1.36: Fine-Grained Kubelet API Authorization Graduates to GA
- Announcing Ingress2Gateway 1.0: Your Path to Gateway API
- Gateway API — Official Documentation
If you manage stateful services, volume group snapshots eliminate a real gap in Kubernetes data protection. Pair them with mutable volume attach limits for more reliable storage operations at scale.
The full release notes are available on the Kubernetes blog, and the Gateway API v1.5 documentation covers the new Standard features in detail. As always, test in staging before upgrading — especially for features that change security behavior like user namespaces and kubelet authorization.