Kubernetes 1.36 Released: HPA Scale-to-Zero, User Namespaces and OCI Volumes Go Stable (April 2026)

The Kubernetes community on April 22, 2026 released Kubernetes 1.36, shipping 80 tracked enhancements across the release — 18 graduating to stable, 18 to beta and 26 new alpha features. The headline change for operators: HPA scale-to-zero, a feature gate that first appeared in v1.16 back in 2019, is finally enabled by default, letting Horizontal Pod Autoscalers drop deployments to zero replicas during idle windows.

What Happened

Kubernetes 1.36 follows the project's usual three-releases-a-year cadence and is the first stable release of 2026. Beyond HPA scale-to-zero, v1.36 promotes two long-running user-facing features to general availability: user namespaces support in pods, which lets a process that appears as root (UID 0) inside a container map to an unprivileged user on the host, and the OCI VolumeSource, which lets containers mount OCI images as read-only volumes so that large ML models, configs and datasets can be packaged and versioned separately from application images.

The release also stabilises Mutating Admission Policies (CEL-based mutations that replace many webhook servers) and External ServiceAccount Token Signing, which delegates token signing to external key-management systems for stricter compliance environments. On the networking side, Ingress-NGINX received a formal retirement notice from the Kubernetes SIG Security committee, accelerating the ecosystem's move to the Gateway API. Two deprecated components were also removed outright: the gitRepo volume plugin and the IPVS mode in kube-proxy.

Key Details

• HPA scale-to-zero enabled by default — Horizontal Pod Autoscalers can now scale deployments to zero replicas during idle periods; an external metric source (such as KEDA) is still needed to scale back up from zero.
• User namespaces — GA — Rootless containers are now a first-class citizen; UID 0 inside the container maps to an unprivileged UID on the host, closing a long-standing container-escape class.
• OCI VolumeSource — GA — Containers can mount an OCI image as a volume, enabling clean separation of large model weights, datasets and configs from the application image.
• Mutating Admission Policies — GA — CEL-based mutations inside the API server replace many webhook servers, cutting latency and an entire tier of custom infrastructure.
• External ServiceAccount Token Signing — GA — Signing can now be delegated to an external KMS, a compliance win for regulated environments.
• Workload-Aware Preemption (alpha) — Groups of related pods (e.g. distributed training jobs) are treated as a unit during scheduling decisions.
• PVC Last-Used Tracking (alpha) — Status fields now surface which PersistentVolumeClaims are actually idle, simplifying cost cleanup.
• Removals — The gitRepo volume plugin and kube-proxy's IPVS mode are gone; Ingress-NGINX received a formal retirement notice from SIG Security.

What Developers and Users Are Saying

Early reaction on platform-engineering Twitter/X and in cloud-native communities is dominated by one number: 70%+. That is the figure multiple operators and cost-optimisation vendors are quoting for typical idle-environment cost savings once HPA scale-to-zero is enabled on staging, preview and batch clusters. A widely shared dev.to breakdown walks through the one-line config change that unlocks the savings.

The other dominant reaction is relief about the Ingress-NGINX retirement: many platform teams have been quietly carrying the migration on their roadmap for over a year, and the SIG Security notice now gives them the mandate to prioritise a Gateway API migration. Not everyone is happy: Ingress-NGINX users with bespoke annotations have pushed back on the timeline, noting that migrating annotation-based rules to Gateway API's typed resources is non-trivial for complex setups. Developers running distributed AI workloads have flagged Workload-Aware Preemption as the most interesting alpha, even if they will not turn it on in production yet.

What This Means for Developers

For platform and SRE teams, the short-term action items are concrete: enable HPA scale-to-zero on non-production clusters to capture immediate cost savings, audit any remaining gitRepo or IPVS usage before upgrading (both are gone), and start the migration plan off Ingress-NGINX onto the Gateway API. For security engineers, user namespaces hitting GA means pod-level rootless containers can now be rolled out without a feature-gate flag and without giving up compatibility with existing CNIs and CSI drivers.

For application developers the picture is simpler — most code will not need changes — but the new OCI volume source opens up a cleaner pattern for shipping ML models and large assets alongside workloads, and CEL-based Mutating Admission Policies mean fewer cases where you have to build and operate a custom webhook server.

What's Next

Kubernetes 1.36 is the first of three planned 2026 releases; v1.37 is tentatively scheduled for August and v1.38 for December, per the project's usual four-month cycle. Managed offerings — GKE, EKS and AKS — typically take 2–4 months to ship 1.36 to general availability, though early-access channels should have it within weeks. The official release notes live in the Kubernetes CHANGELOG, and the full list of enhancements is tracked on the kubernetes/enhancements repo.

Sources

• Kubernetes CHANGELOG 1.36 — primary source, official release notes and enhancement list.
• PerfectScale: Kubernetes 1.36 Release — New Features, Beta & Stable Changes — detailed breakdown of stable and beta features.
• Palark: Kubernetes 1.36 — Deep Dive into New Alpha Features — technical walk-through of alpha-stage enhancements.
• dev.to: Scale-to-Zero — Cut Your K8s Bill by 70% With One Config Change — practitioner reaction and cost-savings walkthrough.
• Cloud Native Now: What to Expect From Kubernetes 1.36 — Gateway API context and the Ingress-NGINX retirement story.
• Cloudsmith: Kubernetes 1.36 — What You Need to Know — additional cross-reference on stable features and removals.