Kubernetes 1.35 Security Changes: cgroup, WebSockets, Image Pull Auth + More

It’s December, and Kubernetes 1.35 is almost here - with security changes that can break workloads or access paths if you upgrade unprepared. This video is a fast, practical security edition rundown for security and platform engineers: what changed, why it matters, and what to verify before you roll 1.35 into production.

In this video (Kubernetes 1.35 security highlights):
cgroup v1 - v2 shift: cgroup v1 is being deprecated in favor of v2 - check your nodes before upgrading.

SPDY replaced by WebSockets in the API server: RBAC implications for exec / port-forward style upgrades - review “create” permissions where required.

Stricter image pull authorization: new behavior can mean pods fail to start if credentials aren’t properly configured (especially in multi-tenant clusters).

New defenses worth enabling: constrained impersonation behavior, improved CSI credential handling, and tighter kubelet certificate validation (opt-in).

If you want a deeper dive, comment with what you’re running today (managed K8s vs self-managed, distro, container runtime, auth setup) and I’ll break down the safest upgrade path.

Useful links:

Kubernetes v1.35 sneak peek: https://kubernetes.io/blog/2025/11/26...
Kubernetes 1.35 security features (Sysdig): https://www.sysdig.com/blog/kubernete...

Chapters:

00:00 Intro
00:22 Kubernetes 1.35 security changes
00:29 cgroup v1 deprecation
00:47 SPDY goes WebSockets
01:13 Stricter image pull auth
01:53 Kubernetes 1.35 positive security upgrades
02:30 Checklist: What to do before upgrading

#kubernetes #kubernetessecurity #k8s #cloudnative #devsecops #platformengineering #securityengineering #rbac #supplychainsecurity #containersecurity #cncf #cloudsecurity