Kubernetes 1.35: The Great Filter
This isn't a feature release. It's a cleanup. Kubernetes 1.35 finally removes the legacy debt (cgroup v1, IPVS) that has been holding platforms back.
I call Kubernetes 1.35 "The Great Filter."
Usually, a Kubernetes release is about what you get. This release is about what you lose.
The maintainers have finally pulled the plug on technical debt that has been lingering for a decade. If you are running a modern, well-maintained platform, you won't notice a thing. But if you are nursing old CentOS 7 nodes or relying on legacy networking hacks, this release will break your cluster. (This is why Platform Engineering is a full-time job).
Here is the damage report.
1. Cgroup v1 is Dead. Truly.
We knew it was coming. It's been deprecated forever. But in 1.35, the kubelet will refuse to start if it detects cgroup v1 — unless you explicitly set failCgroupV1: false in the kubelet config to opt out of the enforcement (a temporary escape hatch, not a long-term solution).
The Impact:
- If you are running older Linux distributions (Amazon Linux 2, CentOS 7, older Ubuntu), you cannot upgrade to 1.35 without either migrating to cgroup v2 or setting the override flag.
- Java applications that rely on old JDK versions might struggle to read memory limits correctly on cgroup v2.
The Fix: You don't patch this. You replace your nodes. Move to a modern OS (Amazon Linux 2023, Bottlerocket, Ubuntu 22.04+) immediately. The failCgroupV1: false flag buys you time but doesn't change the end state.
2. IPVS is Gone
For years, we used kube-proxy in IPVS mode because iptables was too slow at scale. But IPVS involved complex kernel module management and was a nightmare to debug.
Kubernetes 1.35 doesn’t formally remove IPVS, but the community has made its preference clear: new features are being built around nftables (the successor to iptables in 1.29+), and the long-term direction is bypassing kube-proxy entirely with eBPF (Cilium, Calico). IPVS has no official deprecation KEP yet, but investing in it is a dead end.
My Advice: Don’t try to migrate to nftables unless you love pain. Just switch to Cilium (or a similar eBPF CNI) and replace kube-proxy entirely. It’s 2026; you shouldn’t be managing iptables rules.
3. The "AI" Stuff is Actually Good
It’s not all doom and gloom. 1.35 introduces Dynamic Resource Allocation (DRA) for real this time.
Previously, if you wanted to attach a GPU to a pod, it was a hacky process. With DRA, resource drivers are first-class citizens. You can request "A slice of an A100" or "Any GPU with at least 24GB VRAM," and the scheduler actually understands it.
If you are building an AI platform, this is the feature that makes Kubernetes viable against Slurm.
4. In-Place Pod Resize (Finally GA)
This is the sleeper hit. You can now change CPU/Memory resources on a running pod without restarting it.
Why this is huge for Java apps:
- Java apps hate restarts (cold starts kill performance).
- Now, a Vertical Pod Autoscaler (VPA) can nudge the memory up during a traffic spike without killing the JVM.
The Verdict
Kubernetes 1.35 is a maturity test.
- Failing Grade: You spend 3 months fighting cgroup v1 migrations and fixing custom hacking scripts.
- Passing Grade: You update your node groups to the latest OS, flip a Terraform flag to update the control plane, and go get coffee.
Which one are you going to be?
Stuck on an old version? Contact us at Coding Protocols. We specialize in "un-breaking" legacy Kubernetes clusters.
