Skip to content

Release notes for kOps 1.35 series

kOps 1.35.0 adds Kubernetes 1.35 support, expands warm pool capabilities, broadens OS coverage (RHEL 10, Ubuntu 25.10), and refreshes most bundled components.

Significant changes

Container Runtime

Networking

  • Update Cilium to v1.18.6 (#17899)
  • Read secrets from any namespace, not just kube-system
  • Fix envoy config for Gateway API
  • Update Calico to v3.31.3 (#17838, #17831)
  • Skip installing Wireguard when disabled (#17687)
  • Update AWS VPC CNI to v1.21.1 (#17834, #17823, #17783)
  • Update kube-router to v2.7.1
  • Create iproute2 symlink for older distros
  • Migrate Kindnet to the Kubernetes production registry (#17689)
  • Pull CNI plugins from GitHub instead of GCS (#17716, #17676)
  • Prevent failing DNS requests during CoreDNS pod shutdown
  • dns-controller: use pod IPs when creating records for pods annotated with AnnotationNameDNSInternal

AWS

  • Tag Launch Template network interfaces (#17773)
  • Warm pool improvements:
  • Allow warm pool with mixed instances policy (#17800)
  • Disable the kubelet during the warm pool lifecycle (#17792)
  • Enable CloudWatch metrics for the warm pool of an ASG (#17776)
  • Pull user-defined images in the warm pool (#17861)
  • Karpenter: add iam:ListInstanceProfiles permission (#17854)
  • Add missing IAM permissions for AWS Load Balancer Controller and Cloud Controller Manager (#17705)
  • Add snapshot permissions for CreateVolume (#17757)
  • Bypass the graceful OS shutdown process on cluster deletion (#17670)
  • Enforce graceful OS shutdown for Xen instances (#17675)
  • Truncate very long SQS queue names (#17877)
  • AL2023: use a dedicated systemd-networkd configuration for AWS VPC CNI and set MACAddressPolicy=none (#17867, #17933)

Azure

  • Allow independent VMs to join the cluster, enabling Karpenter-style workflows (#17710)
  • Use VXLAN encapsulation for pod traffic with Calico (#17832)
  • Avoid spurious changes in NetworkSecurityGroup (#17734)

GCP

  • Update Cloud Controller Manager to v35 (#17841, #17793)
  • Update GCE PD CSI Driver to v1.22.1 (#17712)
  • Support cloudLabels for GCE InstanceGroups (#17821)
  • Allow specific GCE InstanceGroups to have public IP addresses (#17680)
  • Support specifying IOPS and throughput when using hyperdisks (#17685)

Hetzner

  • Update default server type to cx23 (#17917)
  • Add kOps details to the Hetzner Cloud client user agent (#17875)
  • Refresh the Getting Started documentation (#17916)

OpenStack

  • Pass through InsecureSkipVerify into OpenStack components (#17908)
  • Bump OpenStack CSI images (#17872, #17652)

Etcd

  • Update etcd to v3.6.6 for Kubernetes 1.34+ (#17812)
  • Update etcd to v3.5.25 / v3.5.24 for Kubernetes <1.34 (#17812, #17720)
  • Update etcd-manager to v3.0.20260227
  • Make additional etcd tuning variables configurable (#17929)
  • Add EtcdEventsHTTP feature flag to disable TLS on the events etcd cluster (#17891)

Other Components

  • Update cluster-autoscaler to v1.34.1 (#17725)
  • Update CoreDNS to v1.13.2 (#17817)
  • Update cert-manager to v1.19.2 (#17808)
  • Update metrics-server to v0.8.0 (#17788)
  • Update Go to 1.25.8

Operating System Support

  • Add experimental support for Ubuntu 25.10 (Questing Quokka) (#17664)
  • Add experimental support for RHEL 10 (and variants), Fedora, and CentOS Stream (#17785)
  • Default to nftables on RHEL 10+ where iptables is broken (#17789)
  • Set kube-proxy proxyMode to nftables on RHEL 10 (#17920)
  • Disable cloud-init network hotplug on Ubuntu 24.04 for Cilium and AWS VPC CNI

Kubernetes Configuration

  • Channels: add Kubernetes 1.35 support (#17839)
  • kube-apiserver: add DeleteCollectionWorkers field and raise the default to speed up namespace cleanup (#17928, #17934)
  • kubelet: add MaxParallelImagePulls field (#17755)
  • kubelet: add CrashLoopBackOffMaxContainerRestartPeriod to wait less for control-plane pods to restart (#17510)
  • kubelet: remove the unused --pod-infra-container-image flag (#17657)
  • kube-scheduler: configure Qps and Burst (#17763)
  • kube-scheduler: wait for the auth conf from the API server (#17868)
  • kops-controller: bump default QPS limits (#17701)
  • nodeup: add exponential backoff when calling kops-controller (#17930)

Breaking changes

  • bridge-utils, conntrack, pigz, and libltdl are no longer installed by default (#17694, #17668, #17667)

Other changes of note

  • Cluster API (experimental): additional support, including a new toolbox command to generate ClusterAPI objects and shared bootstrap config builder (#17636, #17655, #17703, #17650)
  • Bare-metal: support dns=none and use the API server IP for kops-controller (#17884)
  • Replace deprecated kOps CLI flags (#17939)
  • Allow setting map[string][]string from the command line (#17679)
  • Skip package updates at boot time and only refresh the package list before installing (#17708, #17704)
  • Fix node bootstrap challenge response hashing (#18043)

Known Issues

  • None at this time

Deprecations

  • Support for Kubernetes version 1.29 is removed in kOps 1.35.

  • Support for Kubernetes version 1.30 is deprecated and will be removed in kOps 1.36.

  • Support for Amazon Linux 2 is deprecated and will be removed in kOps 1.36

  • Support for Ubuntu 20.04 is deprecated and will be removed in kOps 1.36

  • Support for Debian 10 is deprecated and will be removed in kOps 1.36

  • Support for AWS Classic Load Balancer (CLB) for the API, deprecated since kOps 1.26, will be rejected for new clusters in kOps 1.36 and fully removed (existing clusters must migrate) in kOps 1.37. See the CLB to NLB migration guide for the upgrade procedure.

  • Support for gossip-based clusters (.k8s.local domains), deprecated since kOps 1.29, will be rejected for new clusters in kOps 1.36 and fully removed (existing clusters must migrate) in kOps 1.37. Migrate to --dns=none or a hosted DNS zone.