Kubernetes 1.35 Enhances Resource Scaling, AI Workloads

The open-source Kubernetes cloud-native platform has unveiled its final major release for 2025, version 1.35. This update arrives approximately four months after the 1.34 release, which focused on a range of networking improvements. Kubernetes has become the industry standard for container orchestration, powering diverse applications from traditional web services to complex distributed AI training clusters across all major cloud providers.

As its adoption continues to expand, Kubernetes faces increasing demands to both eliminate technical debt and introduce new enterprise-grade capabilities. The 1.35 release successfully addresses these priorities. It graduates in-place pod resource adjustments to general availability, allowing administrators to modify CPU and memory allocations without service interruption. Concurrently, the project deprecates IP Virtual Server (IPVS) proxy mode, guiding networking towards a more contemporary architecture. The release also strengthens certificate lifecycle automation and enhances security policy controls, reflecting the project’s continuous evolution.

The Kubernetes community has chosen “Treenetes” as the codename for version 1.35, drawing inspiration from World Tree mythology. This symbolism reflects both the project’s growing maturity and its expansive, diverse contributor base. The name signifies the platform’s deepening roots as a foundational technology, particularly for emerging fields such as artificial intelligence and edge computing.

Advancing Resource Management and Distributed Workloads

A cornerstone feature of Kubernetes 1.35 is the general availability of in-place pod resource adjustments. This capability, tracked as Kubernetes Enhancement Proposal (KEP) 1287, was initially proposed in 2019 and fundamentally transforms how container resources are managed in production environments. It empowers administrators to modify resource requests and limits on a running pod without requiring a restart, a significant operational advantage.

Previously, altering resource specifications necessitated the destruction and recreation of a pod, leading to application downtime, dropped network connections, and the need for scheduled maintenance windows. The new implementation directly modifies cgroup (control group) settings on running containers. When resource specifications change, Kubernetes updates the existing cgroup, allowing applications to continue executing without interruption. This is particularly beneficial for demanding workloads like AI training jobs, which can now scale vertically without restarts, and for edge computing environments that require flexible resource management without the complexities of pod recreation.

The implementation of in-place resource adjustments requires cgroups v2 on the underlying Linux nodes. Kubernetes 1.35 marks the deprecation of cgroups v1 support, urging older deployments to upgrade their operating systems to leverage this new functionality. Most modern enterprise Linux distributions already include cgroups v2, simplifying the transition for many users. This shift streamlines resource optimization, making Kubernetes even more adaptable for dynamic cloud environments.

Optimizing AI and Distributed Applications

The new release also introduces preview features designed to enhance the orchestration of distributed applications, particularly those in the AI domain. Among these is “gang scheduling,” tracked as KEP-4671. This feature addresses the challenge of distributed applications that require multiple pods to launch simultaneously, ensuring that all necessary components are available before any part of the application begins processing.

Gang scheduling adds a new workload object to the cluster, grouping pods together. These grouped pods either all start together, or none of them start at all. This mechanism simplifies the deployment and management of distributed applications by eliminating the complexity of manually coordinating dependencies and ensuring proper startup order. For AI workloads, where multiple instances often collaborate on data training, gang scheduling ensures that the entire distributed training job initializes correctly and efficiently, preventing partial failures or resource contention.

Additionally, version 1.35 includes a preview of a node-declared feature (KEP-5328). This allows nodes to advertise their specific capabilities, preventing pods from being scheduled on nodes that lack necessary features. This proactive approach helps to avoid runtime failures and capability mismatches, further enhancing the reliability and stability of Kubernetes deployments. By aligning pod requirements with node capabilities, the platform optimizes resource allocation and improves overall cluster performance.

Bolstering Security and Networking Modernization

Kubernetes 1.35 introduces several security enhancements aimed at preventing cluster compromise and fostering zero-trust architectures. These features are critical for protecting sensitive data and maintaining the integrity of cloud-native applications. As organizations increasingly deploy critical workloads on Kubernetes, robust security mechanisms become paramount.

Constrained impersonation (KEP-5284) enters alpha status in this release. This feature is designed to block malicious machines from impersonating legitimate nodes within the cluster. By doing so, it prevents unauthorized access and the potential extraction of sensitive information from running applications and pods. This adds a crucial layer of defense against sophisticated attack vectors targeting cluster infrastructure.

Furthermore, pod certificates for mutual TLS (KEP-4317) reach beta, enabling mutual TLS authentication between pods. This capability is foundational for implementing zero-trust networking models, where every pod-to-pod communication requires cryptographic verification of identity and integrity. Such a model significantly reduces the attack surface and enhances the overall security posture of distributed applications. The release also includes improvements to OCI (Open Container Initiative) image volume sources (KEP-4639), particularly beneficial for edge computing and storage. This feature enables the attachment of read-only data volumes as OCI artifacts, simplifying data distribution and management in edge deployments where resources may be constrained.

Phasing Out Legacy Networking Components

Beyond new features, Kubernetes 1.35 also focuses on shedding technical debt by deprecating older components. A significant change in this release is the deprecation of IP Virtual Server (IPVS) proxy mode for service load balancing. This decision encourages network teams to transition to nftables-based implementations, aligning Kubernetes with more modern Linux networking frameworks.

IPVS has been a fundamental networking option since Kubernetes 1.8, utilizing the Linux kernel’s IPVS load balancer to distribute service traffic. Many production deployments adopted IPVS due to its superior performance compared to the original iptables-based kube-proxy, especially in large clusters with thousands of services. However, the networking landscape has evolved.

Nftables represents the modern Linux packet filtering framework, having replaced iptables in the kernel networking stack. It offers improved performance and more flexible rule management. Nftables consolidates packet filtering, Network Address Translation (NAT), and load balancing into a unified, more efficient interface. Network administrators must now plan and test nftables compatibility with their existing service mesh implementations and network policies. The deprecation timeline spans multiple releases, providing teams ample time to strategize and execute their migrations. This move underscores the project’s commitment to maintaining a modern, high-performing, and secure networking stack, ensuring Kubernetes remains at the forefront of cloud-native technologies.