Table of Contents
81 enhancements in a single release, a high-profile retirement that left teams scrambling, and a hard deadline of April 22, 2026 — Kubernetes v1.36 is the most consequential cluster update in recent memory.
If your team is still running Ingress NGINX, that controller was officially retired on March 24, 2026. No new patches. No security fixes. Every day you delay is a day your traffic routing operates without vendor support.
This guide breaks down the biggest changes in Kubernetes v1.36 — what’s graduating to stable, what’s been retired, and the exact steps to migrate before your cluster becomes a liability. Whether you manage a handful of workloads or orchestrate hundreds of services across multiple clusters, understanding this release is non-negotiable right now.
What’s New in Kubernetes v1.36: Key Enhancements for 2026
Kubernetes v1.36 tracks 81 enhancements post-Enhancements Freeze, making it one of the most feature-rich releases in the project’s history. Among these, 18 enhancements graduate to stable (GA) — becoming production-ready without feature flags. Here are the most impactful changes your team needs to know.
Dynamic Resource Allocation Reaches Beta
Dynamic Resource Allocation (DRA), which manages GPU and accelerator resources as first-class Kubernetes objects, graduates from alpha to beta in v1.36. Beta status means DRA is enabled by default — no feature gate required. Teams running GPU workloads for AI inference or machine learning training will find this especially significant.
Four DRA-specific enhancements also reach GA status alongside the core feature, giving the entire DRA ecosystem a stable foundation for production deployments. If your cluster hosts GPU-intensive workloads, plan time to understand the new resource model before upgrading.
ServiceAccount Token Signing Goes Stable
External signing of ServiceAccount tokens is expected to reach GA in v1.36. This allows the kube-apiserver to delegate token signing to cloud key management services (KMS) or hardware security modules (HSMs). For security-focused teams, this reduces the blast radius of a compromised API server.
In the same release, the kubelet gains the ability to use ephemeral, auto-rotating KSA tokens for authenticating image pulls. Each token is scoped to the pod’s identity and short-lived — replacing long-lived credentials that have been a persistent security risk across Kubernetes deployments.
HPAScaleToZero Now On by Default
The Horizontal Pod Autoscaler can now scale workloads to zero replicas out of the box. Previously requiring an explicit feature gate, HPAScaleToZero is enabled by default in v1.36. Idle workloads no longer consume cluster resources — a direct win for teams running event-driven or batch processing architectures where cost optimization matters.
Other notable graduations include Support for User Namespaces in pods and Mutating Admission Policies, both reaching stable. In-Place Pod Resize is also extended to support aggregate resource specifications at the pod level, enabling dynamic scaling without pod restarts.
The Ingress-NGINX Retirement: Why Your Team Is Already Behind
Kubernetes SIG Network and the Security Response Committee officially retired the Ingress NGINX controller on March 24, 2026. Since that date:
- No new releases will be published
- No bug fixes will be applied
- No security vulnerability patches will be issued
This is not a deprecation warning. The controller is end-of-life. Existing deployments continue to function, and installation artifacts like Helm charts and container images remain available — but any CVE discovered after March 24 will remain unpatched indefinitely. Security-conscious teams cannot afford this exposure.
The recommended replacement is the Kubernetes Gateway API. Since reaching v1.0 GA in October 2023, it now has 20+ conformant implementations from vendors including Google, Amazon, Envoy, and Contour. The Gateway API introduces clear role separation: infrastructure providers manage Gateway configurations, while application developers manage HTTPRoute and other routing resources — a model that maps cleanly to how platform and application teams actually work.
For the latest updates on cloud-native infrastructure and container orchestration news, explore the Dev/IT Ops coverage on Hubkub.
How to Migrate to Gateway API Using ingress2gateway 1.0
On March 20, 2026, Kubernetes SIG-Network released ingress2gateway 1.0 — a stable migration tool that converts existing Ingress resources to Gateway API resources. It supports over 30 common annotations including CORS, backend TLS, regex matching, and path rewrites.
Follow these steps to migrate your cluster:
Step 1: Install ingress2gateway
Download the binary from the GitHub releases page, or install via Go:
go install github.com/kubernetes-sigs/[email protected]Step 2: Convert your existing Ingress resources
Run the following command to convert all Ingress resources across all namespaces and save the output to a file:
ingress2gateway print --providers=ingress-nginx -A > gateway-routes.yamlStep 3: Review the generated resources
Open gateway-routes.yaml and inspect the generated Gateway and HTTPRoute objects. ingress2gateway flags unsupported annotations and suggests alternatives where it cannot convert automatically. Treat the output as a starting point — complex setups with proprietary extensions require manual review.
Step 4: Apply and validate
Once you’ve reviewed the output, apply the new resources to your cluster:
kubectl apply -f gateway-routes.yamlRun your routing tests against the new Gateway-managed endpoints. When confirmed working, remove the old Ingress resources and uninstall the Ingress NGINX controller.
For the complete Gateway API specification and implementation guides from all conformant providers, refer to the official Kubernetes Gateway API documentation.
Common Questions — Kubernetes v1.36
Q: When does Kubernetes v1.36 release?
A: Kubernetes v1.36 is scheduled for release on April 22, 2026. It tracks 81 enhancements post-Enhancements Freeze, with 18 features graduating to stable (GA). Teams should begin reviewing the sneak peek documentation and testing in staging clusters before the release date.
Q: Is it safe to keep running Ingress NGINX after March 2026?
A: Existing deployments will continue to function, but they will receive no security patches or bug fixes. Any CVE discovered after March 24, 2026 will remain unpatched indefinitely. Teams should prioritize migration to the Gateway API to reduce security exposure.
Q: What is Dynamic Resource Allocation and why does it matter?
A: DRA is a Kubernetes feature that manages accelerator resources — primarily GPUs — as native cluster objects. In v1.36, it graduates to beta and is enabled by default without a feature gate. This matters most to teams running AI inference or machine learning workloads on GPU-backed nodes.
Q: What is the best alternative to Ingress NGINX in 2026?
A: The Kubernetes project recommends the Gateway API as the standard replacement. It has 20+ conformant implementations from major vendors including Google, AWS, and Envoy. The ingress2gateway 1.0 tool, released March 20, 2026, automates most of the conversion from existing Ingress resources to Gateway API objects.
Conclusion
Kubernetes v1.36, releasing April 22, 2026, marks a significant shift in how the project manages networking, security tokens, and resource allocation. Three key takeaways for your team:
- Migrate from Ingress NGINX immediately. The controller is retired with no further security patches. Use ingress2gateway 1.0 to convert your Ingress resources to Gateway API HTTPRoutes.
- Review HPAScaleToZero and DRA beta defaults. Both are now enabled by default in v1.36 and may change existing cluster behavior without explicit configuration changes on your end.
- Plan your v1.36 upgrade post-April 22. Test the release in a staging environment first, especially if you rely on features graduating from beta to stable or workloads using the DRA resource model.
Stay ahead of the latest developments across cloud infrastructure, AI tooling, and developer news in our Tech News section on Hubkub. Explore more in our Dev/IT Ops coverage.
Last Updated: April 13, 2026
