Kubernetes 1.35 Security: 7 Game-Changing Features Released Today (DevSecOps Must-Know)
Source: Dev.to
Kubernetes v1.35 – Security‑Focused Release (Dec 17 2025)
Kubernetes 1.35 just dropped today, and if you’re running production workloads you need to pay attention. This isn’t just another incremental update; it’s packed with security primitives that fundamentally change how we think about workload isolation, authentication, and defense‑in‑depth.
From user namespaces reaching beta‑by‑default to mTLS pod certificates and hardened image‑pull verification, Kubernetes 1.35 delivers the features DevSecOps teams have been requesting for years. Let’s break down what actually matters.
Why Kubernetes 1.35 Security Matters Now
The security landscape has shifted dramatically. Multi‑tenant clusters, zero‑trust architectures, and supply‑chain attacks have forced Kubernetes to evolve beyond basic RBAC and network policies. Version 1.35 addresses the gaps that have been exploited in real‑world breaches:
- Container escapes via shared user namespaces
- Unauthorized image reuse from cached layers
- Weak workload‑to‑workload authentication
- Impersonation attacks on kubelet serving certificates
These aren’t theoretical vulnerabilities—they’re actively being targeted. Kubernetes 1.35’s security features provide the mitigations production teams need immediately.
The 7 Critical Security Features in Kubernetes 1.35
| # | Feature | Maturity | What It Does | Why It Matters | Quick Implementation |
|---|---|---|---|---|---|
| 1 | User Namespaces (KEP‑127) | Beta‑by‑Default | Maps container UID 0 (root) to an unprivileged UID on the host. If a container process escapes, it has no host privileges. | Makes container‑escape vulnerabilities (e.g., CVE‑2024‑21626, runC exploits) significantly harder to exploit. | Set hostUsers: false in your PodSpec. Test storage drivers and host‑path mounts first. |
| 2 | mTLS Pod Certificates (KEP‑4317) | Beta | Provides first‑class mTLS between pods and the API server, eliminating manual certificate management. | Simplifies zero‑trust networking and speeds up service‑mesh adoption. | Enable the feature gate and let the control plane issue pod‑certificates automatically. |
| 3 | Robust Image Pull Authorization (KEP‑2535) | Beta | Introduces imagePullCredentialsVerificationPolicy, forcing kubelet to re‑verify registry credentials even for cached images. | Closes a massive supply‑chain risk where any pod could use a cached image without proper pull credentials. | Add the policy to your kubelet config; expect cached‑image workflows to break until updated. |
| 4 | Hardened Kubelet Certificate Validation (KEP‑4872) | Alpha | API server validates that a kubelet’s serving‑certificate CN matches system:node:. | Prevents node‑impersonation MITM attacks. | Enable the alpha feature gate and verify node certificates. |
| 5 | Constrained Impersonation (KEP‑5284) | Alpha | Users cannot perform actions they themselves aren’t authorized for, even when impersonating another identity. | Stops privilege‑escalation via debug/proxy workflows that impersonate high‑privilege service accounts. | Enable the alpha feature gate and audit impersonate verbs in RBAC. |
| 6 | User Namespaces for HostNetwork Pods (KEP‑5607) | Alpha | Allows hostNetwork: true pods to keep hostUsers: false. | Enables workloads that need host‑network access (e.g., CNI plugins, monitoring agents) without gaining host‑root privileges. | Enable the alpha feature gate and set hostUsers: false on host‑networked pods. |
| 7 | CSI ServiceAccount Tokens via Secrets (KEP‑5538) | Alpha | Moves CSI driver ServiceAccount tokens from volumeContext into a dedicated secrets field. | Separates sensitive credentials from non‑sensitive metadata, reducing accidental leakage. | Enable the alpha feature gate and update CSI driver manifests accordingly. |
What DevSecOps Teams Should Do Now
Don’t wait for the next quarterly upgrade cycle. Here’s an actionable plan:
- Test User Namespaces in staging:
Monitor for storage/permission issues.securityContext: hostUsers: false - Enable Robust Image Pull Authorization:
AddimagePullCredentialsVerificationPolicyto your kubelet config. Expect cached‑image workflows to break—test first. - Audit Impersonation RBAC:
Review who has theimpersonateverb. Over‑privileged debug workflows need tightening before constrained impersonation lands. - Evaluate mTLS Pod Certificates for service‑mesh migration:
If certificate complexity has delayed mesh adoption, KEP‑4317 removes that blocker. - Review Alpha Feature Adoption Policy:
Features like kubelet certificate validation and constrained impersonation are still alpha. Decide if your risk tolerance allows early testing.
FAQ – Kubernetes 1.35 Security
| Question | Answer |
|---|---|
| Should I enable all 7 security features immediately in production? | No. User namespaces (beta) and mTLS pod certificates (beta) are the safest bets for immediate production use. Alpha features should stay in staging until they reach beta. |
| Do user namespaces work with all storage drivers? | Not yet. Some CSI drivers and hostPath mounts have issues. Test thoroughly before rolling out. |
| Will robust image pull authorization break my CI/CD pipelines? | Potentially, if your pipelines rely on cached images without proper registry credentials. This is actually a security bug you should fix. |
| When will these alpha features reach stable? | Historically, expect alpha → beta in Kubernetes 1.36/1.37 (mid‑2026) and beta → stable in late 2026 or early 2027. |
The Bottom Line
Kubernetes 1.35 isn’t just another version bump—it’s a security watershed moment. User namespaces reaching beta, mTLS pod certificates, and robust image‑pull authorization address real‑world attack vectors that have plagued production clusters for years.
Message: Kubernetes security is maturing beyond basic RBAC and network policies. Defense‑in‑depth is becoming native.
Start testing the beta features today, plan for the alphas, and keep your clusters ahead of the threat landscape.
# Kubernetes 1.35 Security Features: Proactive Hardening
*“Security isn’t a bolt‑on; it’s built into the platform.”*
DevSecOps teams have two choices:
1. **Start testing these features in staging today**, or
2. **Explain to your CISO in six months** why your cluster's security posture is falling behind industry standards.
The tooling is here. The vulnerabilities are known. The only question is whether you'll adopt these hardening measures **proactively** or **reactively after an incident**.
---
## Action Plan
- **Upgrade** to Kubernetes 1.35.
- **Test** the new security features in a staging environment.
- **Harden** your clusters based on the test results.
- **Repeat** the cycle continuously.
---
## Getting Started
1. **Audit your current security posture.**
2. **Identify which features provide the highest risk reduction** for your specific threat model.
3. **Implement** the selected features in production.
> *Security isn’t a checkbox—it’s a continuous evolution.*
---
### Stay Updated
Follow for more:
- Kubernetes security insights
- DevOps best practices
- Cloud infrastructure deep‑dives