Kubernetes kops v1.34.3 Release - Etcd and Go Updates

Kubernetes kops v1.34.3 was released on May 27 2026. This point release focuses on stabilizing the control plane through significant updates to the etcd management layer and a migration to the Go 1.26 toolchain.

The full release notes and downloads are on the GitHub release page.

The project has updated etcd-manager to v3.0.20260512. This update includes critical patches for both the 3.5 and 3.6 branches of etcd, specifically targeting versions 3.5.30 and 3.6.11. These versions address several edge cases in cluster state consistency that can occur during member replacement or under heavy disk I/O contention. Ensuring that the backing store of the cluster remains consistent is a primary goal for this maintenance release.

A technical fix was merged for the HasHighlyAvailableControlPlane function. It now correctly utilizes AllInstanceGroups to determine the redundancy status of the control plane. This change ensures that cluster operations requiring high availability are not blocked by incorrect state detection. This is particularly important for operators running multi zone clusters where the loss of a single instance group should not incorrectly trigger a loss of availability status if other replicas remain functional.

Cilium operators gain more control in this release with the ability to set arbitrary cilium-config entries directly within the cluster specification. This allows platform engineers to apply fine grained tuning to the Cilium agent without waiting for explicit field support in the kops API. Along with this flexibility, the release adds specific flags for bpf-lb-sock and bpf-lb-sock-hostns-only. These flags are essential for users optimizing socket based load balancing performance and host namespace isolation in the data plane.

The Cilium liveness probe has also been updated to require k8s-connectivity. This change prevents a race condition where a Cilium pod might be marked as healthy before it has established a functional path to the Kubernetes API server. By tightening the health check requirements, the project reduces the window where traffic might be routed to a node with a non functional networking stack.

AWS users benefit from several targeted fixes. The release includes a bypass for the Load Balancer Controller mservice webhook in the kube-system namespace. This prevents circular dependencies that could stall cluster bootstrapping when the controller is responsible for the ingress that it also manages. For security conscious operators, the kops-controller now skips node S3 permissions when it is configured to serve node configuration directly. This reduces the IAM privilege set required by individual worker nodes. Additionally, the project now truncates very long SQS queue names to avoid hitting AWS service limits when cluster names are exceptionally long.

On GCE, the kops-controller is now exposed on an internal load balancer for gossip clusters. This improves the reliability of communication between nodes and the control plane in environments where external load balancers are restricted. Azure users will see more reliable gossip seed discovery as protokube now correctly lists VMSS network interface cards. Hetzner Cloud support has also been improved with an upgrade of the hcloud-cloud-controller-manager to v1.30.1, ensuring compatibility with recent changes in the Hetzner API.

The release migrates the 1.34 branch to the Go 1.26.3 toolchain. This update brings the latest compiler optimizations and security fixes to the kops binaries. Running with a modern Go version is critical for performance and for maintaining a small security footprint. The Cluster Autoscaler has also been bumped to version 1.35.0, aligning it with the expected versioning for recent Kubernetes releases.

The dns-controller component received updates to make the priorityClassName configurable, allowing operators to ensure that DNS management pods are not evicted during periods of resource pressure. It also now defaults the provider correctly when ExternalDNS settings are only partially defined, reducing configuration friction for hybrid DNS setups.

While this is a minor patch release, the update to etcd-manager and the bump in etcd patch versions suggest that operators should verify control plane health before and after the upgrade. The transition to Go 1.26.3 is an internal change but ensures that the binaries running on your nodes are built with a modern toolchain. We recommend performing a rolling update of the control plane nodes first to ensure etcd stability before moving to worker nodes.

The release is available via the standard channels. You can find the binaries, container images, and full change log at the following locations: