Kubernetes Knowledge Patch

Post-training knowledge for Kubernetes 1.33-1.35 and Gateway API v1.3-1.4. Assumes familiarity with Kubernetes through 1.32 including core workloads, Services, Ingress, RBAC, HPA/VPA, CRDs, Helm, NetworkPolicy, PodSecurityAdmission, ValidatingAdmissionPolicy GA (1.30), sidecar containers beta, Gateway API v1.0-v1.2.

References

• Pod Resources & Lifecycle — In-Place Pod Resize GA, Pod-Level Resources, Container Restart Rules, Image Volumes, Pod Generation
• Dynamic Resource Allocation — DRA GA (resource.k8s.io/v1), ResourceClaim, DeviceClass, firstAvailable
• Admission Policies — MutatingAdmissionPolicy (CEL-based declarative mutations)
• Networking & Gateway API — Traffic Distribution GA, Gateway API v1.3-1.4, BackendTLSPolicy, Endpoints API deprecated
• Workload Management — HPA configurable tolerance, StatefulSet maxUnavailable, Job managedBy/podReplacementPolicy, VolumeAttributesClass, Node Topology Labels
• Deprecations & Removals — cgroup v1 removed, Ingress NGINX retired, ipvs deprecated, containerd 1.x EOL

Quick Reference — What's GA in 1.35

Feature	API/Field	Since
In-Place Pod Resize	kubectl patch pod --subresource=resize	beta 1.33 → GA 1.35
Dynamic Resource Allocation	resource.k8s.io/v1	GA 1.35
Traffic Distribution	svc.spec.trafficDistribution: PreferSameZone	GA 1.35
Pod Generation	metadata.generation / status.observedGeneration on Pods	GA 1.35
Job managedBy	.spec.managedBy	GA 1.35
Job podReplacementPolicy	.spec.podReplacementPolicy: Failed	GA 1.34
VolumeAttributesClass	Modify volume params (IOPS) on-line via CSI	GA 1.34
SupplementalGroupsPolicy	Strict mode ignores image /etc/group	GA 1.35
Node Topology Labels	Downward API: metadata.labels['topology.kubernetes.io/zone']	beta 1.35
HPA Configurable Tolerance	behavior.scaleUp.tolerance	beta 1.35
StatefulSet maxUnavailable	rollingUpdate.maxUnavailable	beta 1.35
Image Volumes	volumes[].image	on-by-default 1.35
Container Restart Rules	per-container restartPolicyRules	beta 1.35

Quick Reference — Key API Changes

In-Place Pod Resize (GA 1.35)

CPU/memory requests and limits are mutable on running Pods via the resize subresource. Memory limit decreases allowed since 1.35. Actual resources in status.containerStatuses[*].resources.

# Resize via kubectl:
kubectl patch pod mypod --subresource=resize -p \
'{"spec":{"containers":[{"name":"app","resources":{"requests":{"cpu":"500m"},"limits":{"cpu":"1"}}}]}}'

DRA — Request Hardware Devices (GA 1.35)

apiVersion: resource.k8s.io/v1
kind: ResourceClaimTemplate
metadata:
  name: gpu-claim
spec:
  spec:
    devices:
      requests:
        - name: gpu
          deviceClassName: gpu.example.com
          selectors:
            - cel:
                expression: device.attributes["gpu.example.com"].memory.compareTo(quantity("16Gi")) >= 0
---
# In Pod spec:
# spec.resourceClaims:
# - name: gpu
#   resourceClaimTemplateName: gpu-claim
# spec.containers[*].resources.claims:
# - name: gpu

MutatingAdmissionPolicy (beta 1.34)

CEL-based declarative mutations replacing mutating webhooks. Requires feature gate.

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingAdmissionPolicy
metadata:
  name: add-team-label
spec:
  matchConstraints:
    resourceRules:
      - apiGroups: ["apps"]
        apiVersions: ["v1"]
        operations: ["CREATE"]
        resources: ["deployments"]
  mutations:
    - patchType: ApplyConfiguration
      applyConfiguration:
        expression: >
          Object{
            metadata: Object.metadata{
              labels: {"team": "platform"}
            }
          }

Pod-Level Resources (beta 1.34)

Shared resource budget across all containers in a Pod:

spec:
  resources:
    requests:
      cpu: "2"
      memory: 4Gi
    limits:
      cpu: "4"
      memory: 8Gi
  containers:
    - name: app
      image: myapp
    - name: sidecar
      image: proxy

Image Volumes (on-by-default 1.35)

Mount OCI images as readonly volumes. Requires containerd v2.1+.

spec:
  volumes:
    - name: model
      image:
        reference: registry.example.com/ml-model:v2
        pullPolicy: IfNotPresent
  containers:
    - name: app
      volumeMounts:
        - name: model
          mountPath: /models
          subPath: weights # subPath supported since 1.33

Container Restart Rules (beta 1.35)

spec:
  restartPolicy: Never # Pod-level
  containers:
    - name: trainer
      restartPolicy: OnFailure # Container-level override
      restartPolicyRules:
        - exitCodes: [137, 139] # Restart only on specific exit codes
          action: Restart

Traffic Distribution (GA 1.35)

PreferClose renamed to PreferSameZone. New PreferSameNode option.

spec:
  trafficDistribution: PreferSameNode # or PreferSameZone

Gateway API — Percentage Mirroring (v1.3)

filters:
  - type: RequestMirror
    requestMirror:
      backendRef: { name: canary, port: 8080 }
      percent: 10

HPA Configurable Tolerance (beta 1.35)

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
spec:
  behavior:
    scaleUp:
      tolerance: 0.05 # 5% — more sensitive scaling (default was 10%)

EndpointSlice Migration (1.33+)

# Old (deprecated, returns warnings in 1.33+)
kubectl get endpoints myservice
# New — look up by label (one Service → multiple EndpointSlices)
kubectl get endpointslice -l kubernetes.io/service-name=myservice

Node Topology Labels via Downward API (beta 1.35)

env:
  - name: ZONE
    valueFrom:
      fieldRef:
        fieldPath: metadata.labels['topology.kubernetes.io/zone']
# Kubelet injects topology labels into every Pod automatically

Key Deprecations (1.33–1.35)

• cgroup v1 removed — kubelet won't start on cgroup v1 nodes
• Ingress NGINX retired — best-effort until March 2026, migrate to Gateway API
• ipvs kube-proxy deprecated — migrate to nftables mode
• containerd 1.x — last supported in 1.35, upgrade to 2.0+
• Endpoints API deprecated (1.33) — use EndpointSlice instead