Kubernetes v1.36 lands end of April 2026 — and it’s not messing around.
Already, 15 years into its lifecycle, the project is enforcing a deprecation policy that’s seen zero mercy for relics like the gitRepo volume driver, dormant since v1.11.
Think about it. Clusters humming with unpatched externalIPs? That’s a MitM dream, straight out of CVE-2020-8554 playbook. v1.36 slaps warnings on that field now, yanks it fully by v1.43.
But here’s my angle — one the official sneak peek glosses over: this purge mirrors the Linux kernel’s great code cull of 2011, when Linus Torvalds slashed 10% of the codebase to kill bloat. Kubernetes, maturing into a full-blown OS for clouds, is doing the same. Expect tighter, meaner clusters that force everyone to level up.
Why Is Ingress NGINX Finally Retired?
March 24, 2026. SIG-Security pulls the plug on Ingress NGINX — no more releases, no bugfixes, zilch for vulns.
Existing setups? They’ll limp along on frozen Helm charts and images. But the nudge is clear: ditch it for Gateway API or whatever aligns with modern security. It’s the Kubernetes lifecycle in microcosm — evolve or evaporate.
To prioritize the safety and security of the ecosystem, Kubernetes SIG Network and the Security Response Committee have retired Ingress NGINX on March 24, 2026. Since that date, there have been no further releases, no bugfixes, and no updates to resolve any security vulnerabilities discovered.
That quote? Straight from the announcement. Chilling in its finality.
And yeah, the community’s scrambling — but this isn’t disruption for drama’s sake. It’s architectural hygiene. Old ingress controllers were bandaids on a networking model begging for replacement. Gateway API’s been stable since v1.29; time to commit.
Kubernetes v1.36’s Deprecation Hit List
externalIPs in Service spec. Deprecated.
You’ll get warnings starting v1.36, full removal v1.43. Why? It lets attackers sniff and spoof traffic to your services — documented nightmare fuel.
Migrate? LoadBalancer for cloud magic, NodePort for basics, or — best bet — Gateway API. That KEP-5707 lays it out cold.
Then gitRepo volumes. Dead as of v1.36. No toggle to resurrect. This thing, deprecated eons ago in v1.11, let foes run root code on nodes.
Still using it? You’re in the stone age. Swap to init containers, git-sync sidecars. KEP-5040 seals the tomb.
These aren’t casual tweaks. They’re the project admitting: we’ve tolerated too much for too long. Ops teams ignoring KEPs? Your wake-up call.
Short para for emphasis: Security first, always.
Now, the shiny bits.
What Performance Boost Does SELinux Get in v1.36?
SELinux labeling for volumes hits GA.
Remember Pod startups crawling on enforcing systems? Recursive relabeling was the culprit — beta since v1.28 for ReadWriteOncePod volumes.
v1.36 flips to mount -o context=XYZ. Boom: labels the whole volume at mount time. Consistent speed, slashed delays.
Why care? If you’re in DoD land or any SELinux shop (Red Hat, anyone?), this is your green light for production. No more beta roulette.
But dig deeper — this isn’t isolated. Kubernetes networking’s shifting hard toward Gateway API, phasing out dinosaur modes like externalIPs. Prediction: by v1.40, half your ingress will be Gateway, or you’ll be the odd one out.
And the deprecation policy itself? Ironclad. Stable APIs need successors before deprecation; betas get three releases grace; alphas? Fair game. It’s kept the ecosystem sane through 36 versions.
Critique time — the sneak peek’s hype on ‘impressive enhancements’ feels PR-polished. Truth? Most excitement’s in the cuts, not the adds. Kubernetes isn’t reinventing; it’s pruning to thrive.
Look, if you’re on ancient workloads, audit now. Tools like kube-no-trouble can flag deprecated APIs cluster-wide. Don’t wait for v1.36 to bite.
This release cements Kubernetes as the reluctant grown-up. No more coddling insecure holdouts. Your move.
Why Does Kubernetes v1.36 Matter for Ops Teams?
Because migration’s non-negotiable. externalIPs users: test LoadBalancer swaps yesterday. gitRepo holdouts: init containers await.
Ingress NGINX fans — scout alternatives. Community’s buzzing with Istio, Contour, even cloud-native like AWS ALB.
SELinux win? Cherry on top, but only if your stack’s clean.
Bold call: v1.36 accelerates Kubernetes’ pivot to ‘secure-by-default.’ Like Docker’s userns remap mandates years back, it’ll cull sloppy deploys. Winners? Teams already Gateway API-native. Losers? Legacy chasers.
We’ve seen this before — v1.22’s dockershim yank forced containerd adoption. Painful, then progress. Same arc here.
🧬 Related Insights
- Read more: Docker Captain Sunny: Microsoft’s Azure Ace on Containers and Community
- Read more:
Frequently Asked Questions
What workloads will break in Kubernetes v1.36?
Anything leaning on Service spec.externalIPs (warnings now, gone v1.43) or gitRepo volumes (fully removed, no enable flag). Migrate to Gateway API or init containers pronto.
Is Ingress NGINX safe to keep using after retirement?
It’ll run on existing installs, but zero patches mean vulns pile up. SIG-Security urges switching to maintained controllers like Gateway API implementations.
When does SELinux volume labeling become production-ready?
GA in v1.36 — mount-time labeling cuts Pod startup lags on enforcing systems. Beta-tested since v1.28.
