Kubernetes 1.35 Security Changes: cgroup, WebSockets, Image Pull Auth + More

It’s December, and Kubernetes 1.35 is almost here - with security changes that can break workloads or access paths if you upgrade unprepared. This video is a fast, practical security edition rundown for security and platform engineers: what changed, why it matters, and what to verify before you roll 1.35 into production.

In this video (Kubernetes 1.35 security highlights):

• cgroup v1 - v2 shift: cgroup v1 is being deprecated in favor of v2 - check your nodes before upgrading.
• SPDY replaced by WebSockets in the API server: RBAC implications for exec / port-forward style upgrades - review “create” permissions where required.
• Stricter image pull authorization: new behavior can mean pods fail to start if credentials aren’t properly configured (especially in multi-tenant clusters).
• New defenses worth enabling: constrained impersonation behavior, improved CSI credential handling, and tighter kubelet certificate validation (opt-in).

If you want a deeper dive, comment with what you’re running today (managed K8s vs self-managed, distro, container runtime, auth setup) and I’ll break down the safest upgrade path.

Useful links:

Kubernetes v1.35 sneak peek: https://kubernetes.io/blog/2025/11/26/kubernetes-v1-35-sneak-peek/
Kubernetes 1.35 security features (Sysdig): https://www.sysdig.com/blog/kubernetes-1-35-whats-new

Chapters:

00:00 Intro

00:22 Kubernetes 1.35 security changes

00:29 cgroup v1 deprecation

00:47 SPDY goes WebSockets

01:13 Stricter image pull auth

01:53 Kubernetes 1.35 positive security upgrades

02:30 Checklist: What to do before upgrading

#kubernetes #kubernetessecurity #k8s #cloudnative #devsecops #platformengineering #securityengineering #rbac #supplychainsecurity #containersecurity #cncf #cloudsecurity