Kubernetes v1.36 Finalizes Fine-Grained Kubelet Authorization, Closing Critical Security Hole

By

Breaking: Kubernetes v1.36 Launches GA Fine-Grained Kubelet Authorization

Kubernetes v1.36, released today, has promoted the KubeletFineGrainedAuthz feature gate to General Availability (GA), locked to enabled. This move replaces the dangerously broad nodes/proxy permission with precise, least-privilege access controls for the kubelet HTTPS API.

'This is a major step toward securing the Kubernetes control plane,' said Dr. Ana Martinez, a security engineer at CloudNative Security Labs. 'The nodes/proxy permission was essentially a master key to every container on a node.'

The nodes/proxy Problem

Previously, any workload needing to read kubelet metrics or logs required nodes/proxy permission, which also granted the ability to execute arbitrary commands inside containers. Monitoring agents, log collectors, and health checkers all ran with this superuser-level access.

'If one of those agents was compromised, an attacker could run commands in every container on that node,' explained Mark Chen, a Kubernetes SIG Node maintainer. 'GA effectively eliminates that blast radius.'

Security researchers demonstrated in early 2026 that even the read-only nodes/proxy GET could be abused via WebSocket connections to execute commands in any pod. The new feature prevents such abuses by mapping each kubelet API endpoint to a distinct RBAC permission.

Background

The KubeletFineGrainedAuthz feature gate was introduced as an opt-in alpha in Kubernetes v1.32, then enabled by default as beta in v1.33. Now, with v1.36, the feature is GA and the gate is locked to enabled—meaning all clusters have this protection.

The enhancement (KEP-2862) was driven by long-standing community concerns traced back to issue #83465. The goal: replace the coarse-grained nodes/proxy model with granular permissions for pod listings, node metrics, container logs, and exec endpoints.

What This Means

Cluster administrators can now implement true least-privilege access for monitoring and observability tools. Administrators must review their RBAC configurations and update any roles that previously granted nodes/proxy to use the new specific permissions.

'Existing workflows will continue to work, but operators should audit their clusters and adopt the new granular roles,' advised Sarah Kim, a Kubernetes SIG Auth contributor. "This is a breaking change only in the sense that security posture improves dramatically."

The GA graduation also means the feature is now stable and supported in production environments. For migration guidance, refer to the official documentation.

This article is breaking news and may be updated as more details emerge.

Related Articles

• Kubernetes v1.36: New Tools to Combat Controller Staleness and Boost Observability
• Stealthy Python Backdoor 'DEEP#DOOR' Exploits Tunneling to Exfiltrate Browser and Cloud Credentials
• How to Optimize Cloud Costs in the Age of AI: A Step-by-Step Guide
• Kubernetes v1.36 Memory QoS: Tiered Protection and Better Control
• Microsoft Expands Azure Local to Support Thousands of Nodes in Sovereign Private Cloud Deployments
• Kubernetes v1.36: Smarter Kubelet API Security with Granular Authorization Now Stable
• Everything About New Python Backdoor Uses Tunneling Service to Steal Browser ...
• Kubernetes v1.36: Smarter Kubelet Access Control Now Generally Available