π€ Generated by Claude Code at the maintainer's request (interactive session).
k8s 1.36 ("Haru", GA ~22 Apr 2026) β platform readiness & follow-ups
A review of Kubernetes 1.36 against this platform. Headline: nothing in 1.36 forces a change β the platform is clean against every removal and deprecation. The version bump itself is now possible (Talos 1.13.3 raised the ceiling) but not urgent, and a few GA features are worth adopting opportunistically. This issue tracks the follow-ups.
β
Clean bill of health β 1.36 removals/deprecations that do not affect us
| 1.36 change |
Why we're unaffected |
| IPVS kube-proxy deprecated |
Cilium runs kubeProxyReplacement: true (k8s/bases/infrastructure/controllers/cilium/helm-release.yaml) β no kube-proxy, no IPVS at all |
gitRepo volume removed |
Not used anywhere (GitOps via Flux) |
Service externalIPs deprecated (removal ~1.43) |
Not used β ingress is the Cilium Gateway β Hetzner LB |
| Legacy AppArmor annotations removed |
talos/cluster/apparmor.yaml is a Talos kernel LSM arg, not the removed container.apparmor.security.beta.kubernetes.io/* pod annotation |
| SELinux volume labeling GA (breaking in 1.37) |
Talos uses AppArmor, not SELinux |
| Endpoints API deprecation |
No raw kind: Endpoints; EndpointSlice via Cilium |
πΌ The version bump (k8s 1.35.5 β 1.36) β optional, not urgent
π― Opportunities (GA features worth adopting)
π« Considered and skipped
- Mutating Admission Policy / Declarative Validation β GA β native CEL admission is nice, but Kyverno already covers our mutations plus cosign image verification and
generate rules that MutatingAdmissionPolicy can't do. No migration value.
Sources
k8s 1.36 ("Haru", GA ~22 Apr 2026) β platform readiness & follow-ups
A review of Kubernetes 1.36 against this platform. Headline: nothing in 1.36 forces a change β the platform is clean against every removal and deprecation. The version bump itself is now possible (Talos 1.13.3 raised the ceiling) but not urgent, and a few GA features are worth adopting opportunistically. This issue tracks the follow-ups.
β Clean bill of health β 1.36 removals/deprecations that do not affect us
kubeProxyReplacement: true(k8s/bases/infrastructure/controllers/cilium/helm-release.yaml) β no kube-proxy, no IPVS at allgitRepovolume removedexternalIPsdeprecated (removal ~1.43)talos/cluster/apparmor.yamlis a Talos kernel LSM arg, not the removedcontainer.apparmor.security.beta.kubernetes.io/*pod annotationkind: Endpoints; EndpointSlice via CiliumπΌ The version bump (k8s 1.35.5 β 1.36) β optional, not urgent
ksail.prod.yaml) supports k8s 1.31β1.36. The lockstep comment inksail.prod.yamlmakes "bumpkubernetesVersionwhen Talos's range moves" the maintainer's manual step (protected file).ksail.prod.yaml): the comment still reads "Talos v1.12.4 supports Kubernetes 1.30-1.35" even thoughtalos.versionis now v1.13.3 (supports 1.31β1.36) β left behind by the Renovate Talos bump (fix(deps): update dependency siderolabs/talos to v1.13.3Β #1801). Update when the next prod change touches the file.π― Opportunities (GA features worth adopting)
hostUsers: falsemaps container UID 0 to an unprivileged host UID (defence in depth, complements restricted PSS + Kubescape/Tetragon + SPIRE mTLS). Beta/on-by-default since 1.30, so it works on 1.35.5 today.idinside the container shows the remapped UID, no events.hostUsers: false, pods Running, canary Succeeded.+(hostUsers): falseanchor rule ink8s/bases/infrastructure/cluster-policies/best-practices/add-security-context.yaml(the repo's established pattern for cross-cutting pod-spec defaults), scoped via namespace/label allow-list to exclude stateful workloads (Longhorn/OpenBao/CNPG/SPIRE). Do not add the blanket rule before per-app validation β it would hit volume-bearing workloads where idmap support is load-bearing.GROUP_SNAPSHOTcapability, our snapshot-controller is 5.0.4 (group snapshots need ~v8.x), and Velero support is young. CNPG already has WAL/barman backups. Watch β re-evaluate when Longhorn ships group-snapshot support.π« Considered and skipped
generaterules that MutatingAdmissionPolicy can't do. No migration value.Sources