10 Critical Kubernetes v1.36 Changes You Must Know

Kubernetes v1.36, arriving at the end of April 2026, promises a host of enhancements alongside necessary deprecations and removals. This release underscores the project's commitment to stability and security, but it also demands your attention to avoid disruptions. Based on the current development state (subject to change), here are the ten most important things you need to know to prepare for this upgrade.

1. Understanding the Deprecation Policy

Kubernetes has a well-defined deprecation policy for APIs. A deprecated API is marked for removal in a future release but continues to function for at least one year, emitting warnings. The policy ensures that stable APIs are only deprecated when a newer stable version exists, while beta APIs must be supported for three releases after deprecation. Alpha APIs can be removed without notice. This systematic approach prevents sudden breakage and gives you ample time to migrate.

2. API Removal Timelines by Stability Level

Each stability level has specific lifetimes. Generally available (GA) APIs cannot be removed within a major version. Beta APIs require three release cycles of support post-deprecation. Alpha APIs are experimental and may be withdrawn in any release. When an API is removed—whether due to graduation or failure—migration options are communicated in the deprecation guide. Knowing these timelines helps you plan upgrades accordingly.

3. Ingress NGINX Retirement: What Happened

On March 24, 2026, SIG Network and the Security Response Committee officially retired the Ingress NGINX project. This means no further releases, bug fixes, or security updates will be provided. Existing deployments continue to run, and installation artifacts like Helm charts and container images remain available. However, using it going forward poses security risks. The retirement follows the same lifecycle discipline that ensures Kubernetes evolves without abrupt disruption.

4. Immediate Actions for Ingress NGINX Users

If you currently rely on Ingress NGINX, now is the time to evaluate alternatives. The community has been encouraged to adopt ingress controllers that align with current security and maintenance best practices. Options include NGINX Ingress Controller (the official NGINX product), Traefik, Contour, or Istio's gateway. Migrate as soon as possible to avoid exposure to unpatched vulnerabilities. The retirement announcement provides further details.

5. Deprecation of .spec.externalIPs in Services

The externalIPs field in the Service spec is being deprecated in v1.36. This field has long been a quick way to route arbitrary external IPs to services, but it also presented a known security headache—allowing potential IP address spoofing and bypassing network policies. Its removal encourages more secure alternatives. You should start planning to replace externalIPs with proper load balancer configurations or gateway API resources.

6. Alternatives to ExternalIPs

Instead of using externalIPs, consider using loadBalancerIP with a cloud provider, or implement an ingress controller that handles external traffic. For bare-metal clusters, MetalLB or similar solutions can assign IPs to LoadBalancer services. Another option is the Gateway API, which provides a more expressive and secure way to manage external connectivity. Migrating now ensures a smooth transition before the field is removed completely.

7. Lifespan of Different API Versions

Understanding version lifespans is crucial. GA APIs are stable and may only be deprecated when a newer GA version is available; they cannot be removed within a major release. Beta APIs have a minimum support of three releases after deprecation. Alpha APIs are fragile and can disappear in any release without warning. This hierarchy allows you to prioritize which APIs to monitor for changes. Always prefer GA APIs for production workloads.

8. How to Handle Deprecated APIs

When an API is deprecated, you'll see warning messages in your logs or kubectl output. Review the deprecation guide for migration options. Use tools like kubectl convert or the Kubernetes API version checker to identify affected resources. Update your manifests and custom controllers incrementally. Don't ignore warnings—deprecated APIs are removed in a future release, and removal means your components will stop working.

9. Migration Strategies for Removed APIs

When an API is removed, it's no longer available. For the externalIPs deprecated in v1.36, you can migrate to using spec.loadBalancerSourceRanges or the Gateway API. For Ingress NGINX retirement, adopt a supported ingress controller. The project's deprecation guide always documents migration options. Test your changes in a non-production environment first, and ensure your CI/CD pipelines are updated to use the new API versions.

10. Community Impact and Security Focus

The Ingress NGINX retirement, driven by SIG Security, highlights the community's dedication to ecosystem safety. This move ensures that projects with security vulnerabilities are either fixed or retired to prevent widespread exploitation. It reflects the same lifecycle discipline that governs Kubernetes APIs. As a user, staying informed about such announcements helps you maintain a secure and up-to-date cluster. Always follow the official Kubernetes blog and security advisories.

In conclusion, Kubernetes v1.36 is more than just a feature release—it's a call to action. The deprecation of externalIPs and the retirement of Ingress NGINX demand immediate attention. By understanding the deprecation policy, monitoring API changes, and migrating in advance, you can ensure your cluster remains resilient and secure. Start planning today to avoid last-minute surprises when v1.36 arrives.