π€ Generated by Claude Code at the maintainer's request (interactive session).
k8s 1.36 ("Haru", GA ~22 Apr 2026) β platform readiness & follow-ups
A review of Kubernetes 1.36 against this platform. Headline: nothing in 1.36 forces a change β the platform is clean against every removal and deprecation. The version bump itself is now possible (Talos 1.13.3 raised the ceiling) but not urgent, and a few GA features are worth adopting opportunistically. This issue tracks the follow-ups.
β
Clean bill of health β 1.36 removals/deprecations that do not affect us
| 1.36 change |
Why we're unaffected |
| IPVS kube-proxy deprecated |
Cilium runs kubeProxyReplacement: true (k8s/bases/infrastructure/controllers/cilium/helm-release.yaml) β no kube-proxy, no IPVS at all |
gitRepo volume removed |
Not used anywhere (GitOps via Flux) |
Service externalIPs deprecated (removal ~1.43) |
Not used β ingress is the Cilium Gateway β Hetzner LB |
| Legacy AppArmor annotations removed |
talos/cluster/apparmor.yaml is a Talos kernel LSM arg, not the removed container.apparmor.security.beta.kubernetes.io/* pod annotation |
| SELinux volume labeling GA (breaking in 1.37) |
Talos uses AppArmor, not SELinux |
| Endpoints API deprecation |
No raw kind: Endpoints; EndpointSlice via Cilium |
πΌ The version bump (k8s 1.35.5 β 1.36) β optional, not urgent
π― Opportunities (GA features worth adopting)
π« Considered and skipped
- Mutating Admission Policy / Declarative Validation β GA β native CEL admission is nice, but Kyverno already covers our mutations plus cosign image verification and
generate rules that MutatingAdmissionPolicy can't do. No migration value.
Sources
k8s 1.36 ("Haru", GA ~22 Apr 2026) β platform readiness & follow-ups
A review of Kubernetes 1.36 against this platform. Headline: nothing in 1.36 forces a change β the platform is clean against every removal and deprecation. The version bump itself is now possible (Talos 1.13.3 raised the ceiling) but not urgent, and a few GA features are worth adopting opportunistically. This issue tracks the follow-ups.
β Clean bill of health β 1.36 removals/deprecations that do not affect us
kubeProxyReplacement: true(k8s/bases/infrastructure/controllers/cilium/helm-release.yaml) β no kube-proxy, no IPVS at allgitRepovolume removedexternalIPsdeprecated (removal ~1.43)talos/cluster/apparmor.yamlis a Talos kernel LSM arg, not the removedcontainer.apparmor.security.beta.kubernetes.io/*pod annotationkind: Endpoints; EndpointSlice via CiliumπΌ The version bump (k8s 1.35.5 β 1.36) β optional, not urgent
ksail.prod.yaml) supports k8s 1.31β1.36. The lockstep comment inksail.prod.yamlmakes "bumpkubernetesVersionwhen Talos's range moves" the maintainer's manual step (protected file).ksail.prod.yamlnow documents Talos v1.13.6 with Kubernetes 1.36 support.π― Opportunities (GA features worth adopting)
hostUsers: falsemaps container UID 0 to an unprivileged host UID (defence in depth, complements restricted PSS + Kubescape/Tetragon + SPIRE mTLS). Beta/on-by-default since 1.30, so it works on 1.35.5 today.idinside the container shows the remapped UID, no events.hostUsers: false, pods Running, canary Succeeded.+(hostUsers): falseanchor rule ink8s/bases/infrastructure/cluster-policies/best-practices/add-security-context.yaml(the repo's established pattern for cross-cutting pod-spec defaults), scoped via namespace/label allow-list to exclude stateful workloads (Longhorn/OpenBao/CNPG/SPIRE). Do not add the blanket rule before per-app validation β it would hit volume-bearing workloads where idmap support is load-bearing.container_pressure_{cpu,io,memory}_{stalled,waiting}_seconds_totalkubelet cAdvisor metrics and 798 active Coroot series each for CPU, I/O, and memory PSI. No extra privileged kubelet scrape is warranted.GROUP_SNAPSHOTcapability, our snapshot-controller is 5.0.4 (group snapshots need ~v8.x), and Velero support is young. CNPG already has WAL/barman backups. Watch β re-evaluate when Longhorn ships group-snapshot support.π« Considered and skipped
generaterules that MutatingAdmissionPolicy can't do. No migration value.Sources