Kubernetes kops v1.35.1: Runtime and Infrastructure Updates

The kubernetes project released kops v1.35.1 on May 28 2026. This point release focuses on critical runtime updates including Go 1.26.3 and containerd 2.3.1. It also introduces initial support for the Ubuntu 26.04 operating system and provides more granular control over network configuration and cloud provider integrations.

The full release notes and downloads are on the GitHub release page.

The project has updated the base toolchain and core components to ensure compatibility with modern environments. Go moves to version 1.26.3 for the 1.35 release branch. This update follows a previous bump to 1.25.9 earlier in the cycle. Moving the build toolchain forward allows the project to benefit from the latest compiler optimizations and security fixes in the Go runtime.

The release also upgrades containerd to version 2.3.1. This addresses recent upstream changes in the container runtime. The move to the 2.3 branch brings better support for modern container features and improved resource management. While this provides a more stable foundation for workloads, operators should verify their monitoring and logging integrations as runtime upgrades can sometimes change the format of internal metrics.

For state management, etcd-manager moves to version v3.0.20260512. This version includes support for etcd 3.5.30 and 3.6.11. These versions contain important stability fixes for the underlying consensus store. Additionally, the build process now uses the gcr.io/distroless/static base image to reduce the attack surface of the resulting binaries. This shift improves security by removing unnecessary shell utilities and libraries, though it does make direct container debugging more complex.

Cilium operators gain more control over agent configuration in this release. The project now allows setting arbitrary entries in the cilium-config map. This change provides flexibility for advanced networking setups without requiring custom kops builds. New flags for bpf-lb-sock and bpf-lb-sock-hostns-only are also available to fine tune the BPF load balancer behavior.

In AWS environments, kops now bypasses the Load Balancer Controller webhook for cert-manager and kube-system namespaces. This adjustment ensures that certificate management and core system components can initialize without being blocked by a webhook that might not be ready yet. This is a significant improvement for cluster bootstrap reliability. The trade off is a slight reduction in validation strictness for those specific namespaces during the initial setup phase.

The dns-controller also receives updates to make the priorityClassName configurable. This allows better scheduling priority for critical DNS components during cluster resource contention. Making this configurable helps prevent DNS resolution failures when a node is under heavy pressure.

This version introduces initial support for Ubuntu 26.04 as a node operating system. This allows early testing on the latest LTS release from Canonical for long term planning. Azure integration sees a fix for storage account encoding in azureblob:// URLs. This ensures that assets are correctly located in varied storage configurations across different regions.

For GCE clusters using gossip mode, the kops-controller is now exposed on an internal load balancer to improve reachability. This change simplifies the communication path for nodes in private network environments. The Hetzner cloud controller manager also sees an upgrade to version v1.30.1, bringing better integration with the latest Hetzner Cloud API features.

The logic for determining if a control plane has high availability now uses all instance groups via the HasHighlyAvailableControlPlane function. Previously, this check might have missed certain configurations. This is critical for clusters that distribute control plane nodes across multiple zones or groups to ensure they meet the expected availability targets.

The kops CLI adds a --use-kubeconfig flag to the kops reconcile cluster command. This allows operators to specify a particular configuration file during the reconciliation process, improving automation flexibility. The kops-controller now includes validation for instance group names to prevent invalid resource names from being propagated to the cloud provider.

For operators using instance requirements, this release fixes a bug in memory assignment and adds support for excludedInstanceTypes. The instanceRequirements field allows for more dynamic instance selection, and the new exclusion option allows operators to prevent specific instance families from being used. This is useful for avoiding instance types with known performance issues or incompatible hardware features.

A fix for the kops get assets command addresses an issue when the spec.dnsZone is defined as a full DNS name. This ensures that asset discovery works correctly for clusters with complex DNS configurations. The change allows kops to correctly map the zone name to the corresponding cloud resources during the asset retrieval phase.

Operators should note the new validation of instance group names within the kops-controller. Existing groups with unusual names should be verified before applying updates. The cluster autoscaler is updated to version 1.35.0 to match the kops minor version. This ensures that the autoscaling logic is fully compatible with the instance management changes in this release.