The Wire · Showcase
WATCHCACHE REFACTOR LANDS ALONGSIDE KOPS 1.36 BETA AND SERVICE NAME RELAXATION
By RepoJournal · Filed · About Kubernetes
The apiserver watchCache got a major internal refactor to fix concurrent mutation bugs, while kops shipped its first beta release of 1.36 and Kubernetes promoted relaxed service naming rules to GA.
The watchCache changes [1] [2] [3] are the heaviest lift across the stack. A race condition where the indexer was being mutated outside its lock has now been fixed [5], and the immutable configuration fields have been extracted into a dedicated struct to decouple history and storage logic further. These aren't user-facing, but they tighten the apiserver's internal consistency guarantees heading into the next release cycle. The JSON streaming encoder also got optimized to avoid per-item output copies [4], which compounds with the watchCache work to improve list performance. Over on the kops side, version 1.36.0-beta.1 shipped [6] alongside support for etcd 3.7.0-rc.0 [7], allowing scalability jobs to soak the next etcd release before it goes final. Azure node identity just got hardened to use IMDS-attested PKCS7-signed metadata documents instead of raw tokens [8], a significant security improvement for cloud clusters. In core Kubernetes, KEP-5311 [9] promotes relaxed validation for service names to GA, meaning you can now use uppercase letters and hyphens in service names without feature gates. Minikube consolidated duplicated DHCP lease polling across all macOS drivers [10] into a single shared handler, fixing several bugs in the process and making future improvements to the waiting strategy much easier.
Action items
- → Test kops 1.36.0-beta.1 in non-critical infrastructure to validate etcd 3.7.0-rc.0 compatibility kubernetes/kops [plan]
- → Review watchCache refactor if you maintain apiserver-adjacent code; the lock semantics have changed kubernetes/kubernetes [plan]
- → Plan service name migration if you currently use lowercase-only naming for compliance kubernetes/kubernetes [monitor]
References
- [1] Merge pull request #139658 from serathius/watchcache-snapshot-clone kubernetes/apiserver
- [2] Merge pull request #139676 from serathius/watchcache-config kubernetes/apiserver
- [3] Extract immutable watchCache configuration fields to ImmutableWatchCacheConfig kubernetes/apiserver
- [4] Merge pull request #139617 from jpbetz/opt/json-collections-encoder kubernetes/apiserver
- [5] Fix indexer being mutated from outside the lock ↗ kubernetes/kubernetes
- [6] Release 1.36.0-beta.1 ↗ kubernetes/kops
- [7] Support etcd 3.7.0-rc.0 and allow overriding the etcd version in the scalability scenario ↗ kubernetes/kops
- [8] azure: Use IMDS attested metadata document for node identity ↗ kubernetes/kops
- [9] KEP-5311 Promote relaxed validation for Services names to GA ↗ kubernetes/kubernetes
- [10] drivers: Deduplicate DHCP lease handling on macOS ↗ kubernetes/minikube
FAQ
- What changed in Kubernetes on June 13, 2026?
- The apiserver watchCache got a major internal refactor to fix concurrent mutation bugs, while kops shipped its first beta release of 1.36 and Kubernetes promoted relaxed service naming rules to GA.
- What should Kubernetes teams do about it?
- Test kops 1.36.0-beta.1 in non-critical infrastructure to validate etcd 3.7.0-rc.0 compatibility • Review watchCache refactor if you maintain apiserver-adjacent code; the lock semantics have changed • Plan service name migration if you currently use lowercase-only naming for compliance
- Which Kubernetes repositories shipped on June 13, 2026?
- kubernetes/apiserver, kubernetes/kubernetes, kubernetes/kops, kubernetes/minikube