Kubernetes v1.35.6 Release - Critical CSI Fix and Go Update
Kubernetes v1.35.6 arrived on June 12, 2026, as a standard patch release for the current stable branch. This update is particularly important for clusters using CSI drivers due to a bug that could lead to stale volume data. It also updates the build environment to Go 1.25.11 and addresses several panics in the scheduler and networking components.
The full release notes and downloads are on the GitHub release page.
Critical Kubelet Storage Fix
The storage layer in Kubernetes depends on the Container Storage Interface or CSI to manage volumes. The kubelet runs on every node and calls these drivers to mount and unmount disks. One specific call, NodePublishVolume, is responsible for making a volume available at a specific path for a pod. In v1.35.6, the maintainers fixed a critical regression where the kubelet would delete the mount directory if this call returned an error.
This was meant to be a cleanup step, but it caused major problems. If the directory was deleted while the pod was still running, the mount point could become corrupted. Users reported that their applications would see stale data from the underlying host filesystem instead of the intended persistent volume. Even if the CSI driver succeeded in a later attempt, it often could not recreate the mount point correctly without a full pod restart. The new logic is more conservative and preserves the directory to allow for retries.
Scheduler and Resource Allocation
Dynamic Resource Allocation is a relatively new feature in Kubernetes that allows for more flexible resource management than the traditional CPU and memory limits. It is frequently used for managing GPUs and other specialized hardware. The v1.35.6 release fixes a specific edge case where the scheduler would crash with a panic. This happened when using AllocationMode: All for a resource claim that interacted with shared counters on a device.
A scheduler panic is a serious event as it stops all pod placement across the entire cluster until the process restarts. Another scheduling fix involves how pods are matched to resource claims. In some scenarios where a pod required both multi node and per node resource claims, the scheduler logic would fail to find a valid node even if one existed. This led to pods being stuck in the Pending state indefinitely. These fixes make DRA much more reliable for production workloads.
Networking and Binary Secrets
The networking improvements in this patch target the endpoint controller and secret management. As Kubernetes moved toward dual stack networking support, many controllers had to be updated to handle the new IPFamilies field. However, some clusters still have very old service objects created in earlier versions. These legacy objects might have an empty or missing IPFamilies field. The endpoint controller in recent versions would sometimes panic when encountering these old services. The fix in v1.35.6 adds a safety check to handle these cases gracefully.
On the security side, a regression was fixed regarding how Secrets handle binary data. Kubernetes Secrets can store any data, including non UTF8 strings like certificates or encryption keys. A recent change caused containers to fail when trying to inject these binary values into environment variables. This release restores the ability to use binary secrets as environment variables, which is a common pattern for legacy applications and specific security tools.
Performance and Build Updates
Building Kubernetes requires a specific version of the Go compiler to ensure binary compatibility and performance. This release moves to Go 1.25.11. This update includes several fixes to the Go standard library, particularly around networking and memory management. Using the latest Go version also ensures that the cluster binaries are protected against known security vulnerabilities in the compiler or runtime.
Additionally, the team improved the efficiency of SELinux metrics. In clusters with thousands of volumes, the kubelet can spend a lot of time calculating the correct SELinux context for each file. The changes in v1.35.6 reduce the CPU cycles required for this monitoring, which lowers the overall node overhead. For operators using kubeadm, a bug in the certs phase was fixed where the dry run command did not properly copy existing CA files during the execution.
Where to get it
The release is available via the usual channels. You can find the binaries and detailed changelogs at these locations:
- The GitHub release page
- The official Kubernetes repository
- The release tag
v1.35.6
Operators should review the CHANGELOG-1.35.md file for any specific environment requirements before upgrading production clusters.