Released on August 27, 2025 under the theme « Of Wind & Will (O’ WaW) », Kubernetes v1.34 brings a strong security focus, reinforcing zero-trust principles, secure defaults, and identity-aware operations across the platform.

Projected ServiceAccount Tokens for Image Pulls (Beta)

– What’s new: The kubelet can now use short-lived, audience‑bound ServiceAccount tokens to authenticate with container registries, eliminating static Secrets on nodes.

– Why it matters: This significantly shrinks the attack surface by eschewing long-lived credentials, aligning registry access with workload identity rather than node-level secrets.

Scoped Anonymous Access for API Endpoints

– What’s new: Administrators can now safely expose health endpoints (/healthz, /readyz, /livez) to unauthenticated access, while denying broader anonymous access via narrow configuration in AuthenticationConfiguration.

– Why it matters: Prevents accidental overexposure of API capabilities, balancing observability/open health checks with tightened security controls.

Pod Identity & mTLS with PodCertificateRequests (Stable)

– What’s new: Pods can now obtain X.509 certificates via PodCertificateRequests, allowing kubelet-managed issuance for use in mTLS authentication.

– Why it matters: Embeds strong, workload-specific identity into the platform, reinforcing secure communication patterns among services.

Field or Label-Aware RBAC (Enhanced Least Privilege)

– What’s new: Although not yet GA, emerging enhancements allow RBAC rules that consider node or pod-specific attributes (fields or labels) to enforce least-privilege access.

– Why it matters: Granular permissions reduce risk from overbroad role bindings, tightening control over what pods or nodes can access and do.

CEL Mutation Policies & External JWT Signing

– CEL Mutation Policies: Introduce native support for rule-based mutation using Common Expression Language (CEL), enabling secure, declarative policy enforcement within Kubernetes.

– External JWT Signing: Facilitates signing JWTs via external key management services, removing local key storage and enhancing auditability and security.

Mutual TLS (mTLS) for Pod-to-API Traffic

– What’s new: Kubernetes is ramping up mTLS support to secure pod-to-API server communications, though details are still unfolding.

– Why it matters: Ensures encrypted, authenticated channeling between workloads and the control plane, a key zero-trust tenet.

OCI Artifact Volumes & Image Pull Security

– What’s new: Ability to mount OCI images directly as volumes, ensuring secure, versioned delivery of external files to pods.

– Why it matters: Reduces reliance on sidecars or manual injection methods, streamlining configuration while preserving integrity.

Conclusion

Kubernetes v1.34 represents a meaningful step forward in embedding robust security into the platform itself. From per-pod identity to safer defaults, explicit anonymous access handling, and fine-grained policy enforcement, it advances Kubernetes toward a more zero-trust architecture.

Organizations should explore upgrading thoughtfully, especially leveraging the projected ServiceAccount tokens, pod-level certification, and scoped anonymous access to immediately elevate cluster security.

Maxime.