Skip to content

k8s 1.36 readiness: clean on removals; pilot user namespaces, watch VolumeGroupSnapshotΒ #1807

Description

@devantler

πŸ€– Generated by Claude Code at the maintainer's request (interactive session).

k8s 1.36 ("Haru", GA ~22 Apr 2026) β€” platform readiness & follow-ups

A review of Kubernetes 1.36 against this platform. Headline: nothing in 1.36 forces a change β€” the platform is clean against every removal and deprecation. The version bump itself is now possible (Talos 1.13.3 raised the ceiling) but not urgent, and a few GA features are worth adopting opportunistically. This issue tracks the follow-ups.

βœ… Clean bill of health β€” 1.36 removals/deprecations that do not affect us

1.36 change Why we're unaffected
IPVS kube-proxy deprecated Cilium runs kubeProxyReplacement: true (k8s/bases/infrastructure/controllers/cilium/helm-release.yaml) β€” no kube-proxy, no IPVS at all
gitRepo volume removed Not used anywhere (GitOps via Flux)
Service externalIPs deprecated (removal ~1.43) Not used β€” ingress is the Cilium Gateway β†’ Hetzner LB
Legacy AppArmor annotations removed talos/cluster/apparmor.yaml is a Talos kernel LSM arg, not the removed container.apparmor.security.beta.kubernetes.io/* pod annotation
SELinux volume labeling GA (breaking in 1.37) Talos uses AppArmor, not SELinux
Endpoints API deprecation No raw kind: Endpoints; EndpointSlice via Cilium

πŸ”Ό The version bump (k8s 1.35.5 β†’ 1.36) β€” optional, not urgent

  • Unlocked: Talos 1.13.3 (already pinned, ksail.prod.yaml) supports k8s 1.31–1.36. The lockstep comment in ksail.prod.yaml makes "bump kubernetesVersion when Talos's range moves" the maintainer's manual step (protected file).
  • No forcing function: the Talos #13350 scheduler-config bug (1.36 plugin fields leaking into a 1.35 kube-scheduler config) was a 1.13.2 regression fixed in 1.13.3, which we already pin β€” so 1.35.5-on-1.13.3 is healthy.
  • Recommendation: let 1.36.2/1.36.3 bake before bumping; nothing here is pressing, and we just landed 1.35.5.
  • Stale doc to fix (protected ksail.prod.yaml): the comment still reads "Talos v1.12.4 supports Kubernetes 1.30-1.35" even though talos.version is now v1.13.3 (supports 1.31–1.36) β€” left behind by the Renovate Talos bump (fix(deps): update dependency siderolabs/talos to v1.13.3Β #1801). Update when the next prod change touches the file.

🎯 Opportunities (GA features worth adopting)

  • User Namespaces β†’ GA β€” the standout. hostUsers: false maps container UID 0 to an unprivileged host UID (defence in depth, complements restricted PSS + Kubescape/Tetragon + SPIRE mTLS). Beta/on-by-default since 1.30, so it works on 1.35.5 today.
    • Pilot on whoami (stateless canary) β€” feat(whoami): pilot user namespaces (hostUsers: false) in prodΒ #1808 (draft).
    • Validate in prod: pod starts, id inside the container shows the remapped UID, no events.
    • Extend to homepage (apex, always-on; has read-only configMap mounts β€” verify those mount cleanly under userns). β€” live-verified 2026-07-04: hostUsers: false, pods Running, canary Succeeded.
    • Then stateful workloads (Longhorn/CNPG) β€” these need idmap-volume support; evaluate per-app, last.
    • Generalize once proven β€” move off per-app overlay patches to a Kyverno +(hostUsers): false anchor rule in k8s/bases/infrastructure/cluster-policies/best-practices/add-security-context.yaml (the repo's established pattern for cross-cutting pod-spec defaults), scoped via namespace/label allow-list to exclude stateful workloads (Longhorn/OpenBao/CNPG/SPIRE). Do not add the blanket rule before per-app validation β€” it would hit volume-bearing workloads where idmap support is load-bearing.
  • PSI Metrics β†’ GA β€” CPU/memory/IO pressure-stall metrics from the kubelet (needs cgroup v2, which Talos already uses). Useful given our OOM-cascade/rightsizing history, but Coroot's eBPF node-agent already surfaces much of this. Gated on the 1.36 bump. Low priority; wire into Coroot scraping if/when we bump.
  • VolumeGroupSnapshot β†’ GA β€” crash-consistent multi-PVC snapshots; would pair with the Velero CSI/data-mover work (feat(velero): CSI snapshot + data-mover backups for Longhorn PVCsΒ #1790) for CNPG. Triple-gated and not actionable now: Longhorn 1.11.2 does not implement the CSI GROUP_SNAPSHOT capability, our snapshot-controller is 5.0.4 (group snapshots need ~v8.x), and Velero support is young. CNPG already has WAL/barman backups. Watch β€” re-evaluate when Longhorn ships group-snapshot support.

🚫 Considered and skipped

  • Mutating Admission Policy / Declarative Validation β†’ GA β€” native CEL admission is nice, but Kyverno already covers our mutations plus cosign image verification and generate rules that MutatingAdmissionPolicy can't do. No migration value.

Sources

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions