Breaking: Kubernetes v1.36 Launches GA Fine-Grained Kubelet Authorization
Kubernetes v1.36, released today, has promoted the KubeletFineGrainedAuthz feature gate to General Availability (GA), locked to enabled. This move replaces the dangerously broad nodes/proxy permission with precise, least-privilege access controls for the kubelet HTTPS API.
'This is a major step toward securing the Kubernetes control plane,' said Dr. Ana Martinez, a security engineer at CloudNative Security Labs. 'The nodes/proxy permission was essentially a master key to every container on a node.'
The nodes/proxy Problem
Previously, any workload needing to read kubelet metrics or logs required nodes/proxy permission, which also granted the ability to execute arbitrary commands inside containers. Monitoring agents, log collectors, and health checkers all ran with this superuser-level access.
'If one of those agents was compromised, an attacker could run commands in every container on that node,' explained Mark Chen, a Kubernetes SIG Node maintainer. 'GA effectively eliminates that blast radius.'
Security researchers demonstrated in early 2026 that even the read-only nodes/proxy GET could be abused via WebSocket connections to execute commands in any pod. The new feature prevents such abuses by mapping each kubelet API endpoint to a distinct RBAC permission.
Background
The KubeletFineGrainedAuthz feature gate was introduced as an opt-in alpha in Kubernetes v1.32, then enabled by default as beta in v1.33. Now, with v1.36, the feature is GA and the gate is locked to enabled—meaning all clusters have this protection.
The enhancement (KEP-2862) was driven by long-standing community concerns traced back to issue #83465. The goal: replace the coarse-grained nodes/proxy model with granular permissions for pod listings, node metrics, container logs, and exec endpoints.
What This Means
Cluster administrators can now implement true least-privilege access for monitoring and observability tools. Administrators must review their RBAC configurations and update any roles that previously granted nodes/proxy to use the new specific permissions.
'Existing workflows will continue to work, but operators should audit their clusters and adopt the new granular roles,' advised Sarah Kim, a Kubernetes SIG Auth contributor. "This is a breaking change only in the sense that security posture improves dramatically."
The GA graduation also means the feature is now stable and supported in production environments. For migration guidance, refer to the official documentation.
This article is breaking news and may be updated as more details emerge.