- Published on
Kubernetes 1.35 "Timbernetes" — What You Actually Need to Know
- Authors
- Name
- Hoang Nguyen
Kubernetes v1.35, codenamed Timbernetes (The World Tree Release), was released on December 17, 2025. It packs 60 enhancements: 17 graduating to stable (GA), 19 moving to beta, and 22 new alpha features. Here is the breakdown of what actually matters for your clusters.
What: The Headline Features
1. In-Place Pod Resize Is GA (KEP-1287)
This is the big one. After years of development — alpha in v1.27, beta in v1.33 — you can now change CPU and memory allocations on running pods without restarting them. Kubernetes modifies the cgroup settings directly on the running container while the application continues serving traffic.
# Resize a running pod's container
kubectl patch pod my-app -p '{"spec":{"containers":[{"name":"app","resources":{"requests":{"cpu":"500m","memory":"256Mi"},"limits":{"cpu":"1","memory":"512Mi"}}}]}}'
Limitations to know: only CPU and memory can be resized. It does not work with Linux swap, static CPU manager, or static memory manager enabled.
2. Gang Scheduling (Alpha)
An "all-or-nothing" scheduling strategy: a group of pods is scheduled only if the cluster can accommodate the entire group simultaneously. This is a game-changer for AI/ML training jobs where partial scheduling leads to deadlocks and wasted resources.
3. StatefulSet maxUnavailable (Beta, Enabled by Default)
Previously, StatefulSet rolling updates replaced pods one at a time. Now you can set maxUnavailable to control how many pods can be unavailable during an update — as an absolute number or percentage. This dramatically speeds up rollouts for large StatefulSets.
spec:
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 3
4. Configurable HPA Tolerance (Beta)
The HPA now has a tolerance field that defines a threshold for metric variations. If the actual metric is within this tolerance of the target, the autoscaler does not scale. This prevents the flapping behavior that plagues many HPA configurations.
5. Image Volumes (GA)
Pod specs now support volumes that reference OCI images by their registry path. Kubernetes pulls the image layers and mounts them as read-only volumes inside the container — useful for shipping configuration, ML models, or static assets alongside your workloads.
6. Supplemental Groups Policy (GA)
Precise control over how supplemental Unix groups are assigned to individual containers. This closes a long-standing security gap where containers could inherit unexpected group memberships.
7. Deployment terminatingReplicas Field
The Deployment status now includes terminatingReplicas — the count of pods that have a deletion timestamp but are not fully removed yet. This gives you much better visibility into what is actually happening during rollouts.
Why: The Breaking Changes You Must Prepare For
cgroup v1 Is Disabled by Default
The kubelet will fail to start on nodes using cgroup v1. You must migrate to cgroup v2 before upgrading. Complete removal of cgroup v1 support is expected no earlier than v1.38, but starting now the default behavior blocks it.
Action item: check your nodes with stat -fc %T /sys/fs/cgroup/. If the output is tmpfs, you are on cgroup v1 and need to migrate. If it is cgroup2fs, you are already on v2.
Ingress NGINX Is Being Retired
Ingress NGINX enters best-effort maintenance and will be fully retired after March 2026 — no more releases, bug fixes, or security updates. The recommended migration path is the Gateway API.
Action item: start planning your migration to Gateway API now. If you are on AWS, the AWS Load Balancer Controller already supports Gateway API resources.
KYAML Is the Default Output
kubectl get -o kyaml is now enabled by default. KYAML is a safer, less ambiguous YAML subset that prevents common formatting errors (including the notorious "Norway bug" where NO gets interpreted as a boolean false). You can disable it temporarily with KUBECTL_KYAML=false.
How: Other Notable Features
| Feature | Stage | Description |
|---|---|---|
| Pod Generation Tracking | Beta | Pods now get a generation counter that increments on spec changes, matching the behavior of Deployments and StatefulSets |
| Job API managed-by | Stable | External controllers can manage Jobs across clusters without conflicting with the built-in Job controller |
| Constrained Impersonation | Alpha | Blocks nodes from impersonating other nodes to extract secrets — a significant security hardening |
| WebSocket Streaming Auth | Stable | Forces additional RBAC checks when establishing persistent connections via kubectl exec, attach, or port-forward |
| PreferSameNode Traffic | Stable | kube-proxy routes traffic to a local endpoint first, improving network efficiency and reducing cross-node latency |
| In-Place Pod Restart | Alpha | Restart all containers in a pod without deleting and recreating it — useful for picking up config changes |
Upgrade Checklist
Before upgrading to v1.35, make sure you:
- Verify cgroup v2 on all nodes — kubelet will refuse to start on cgroup v1
- Audit Ingress NGINX usage — plan migration to Gateway API before March 2026
- Test KYAML output — check if your CI/CD pipelines or scripts depend on specific YAML formatting from
kubectl get - Review HPA configs — the new tolerance field may change existing autoscaling behavior if you relied on the old default
- Test In-Place Resize — if you are using VPA or custom scaling solutions, validate they work correctly with the GA resize API
P/S: This is a landmark release. In-Place Pod Resize alone changes how we think about resource management in production. And the cgroup v1 deprecation is a clear signal — if you have not migrated yet, the clock is ticking. Start with a staging cluster, validate your node images, and plan the upgrade path now.