Kubernetes v1.34 — Dynamic Resource Allocation goes GA; kubelet image token pull and pod-level resources change the game
Key update
Kubernetes v1.34 (release notes posted Aug 27, 2025) promotes Dynamic Resource Allocation (DRA) to GA, introduces kubelet support for short‑lived, audience‑bound ServiceAccount tokens for image pulls (beta), and advances pod‑level resource requests/limits to beta while adding a new KYAML output option and other scheduler and API‑server performance improvements.
Why it matters
DRA GA is the biggest practical change: device management (GPUs, TPUs, smart NICs, etc.) moves from ad‑hoc device plugins and annotations to first‑class, API‑driven ResourceClaim/DeviceClass/ResourceSlice objects and scheduler integration. For teams running AI/ML or specialized hardware, this reduces custom controller complexity, makes device sharing and fine‑grained allocation feasible, and opens a path to safer multi‑tenant GPU usage — but it requires device drivers and cluster drivers to implement the DRA APIs. Expect driver upgrades and controller changes before you can fully adopt it in production.
The kubelet’s projected ServiceAccount tokens for image registries materially improves security posture: image pulls can be authorized using short‑lived, pod‑scoped credentials instead of long‑lived node secrets, reducing attack surface and secret sprawl. Practically, operators should validate that their registries and credential providers support audience‑bound tokens and plan a staged migration from node‑level pull secrets.
Pod‑level resource requests/limits (now beta) simplify multi‑container Pod sizing and make autoscalers (HPA/VPA/cluster autoscaler) and schedulers able to reason about Pod budgets instead of per‑container budgets—this can cut over‑provisioning for sidecars and improve packing, but some tooling (metrics adapters, autoscalers, custom schedulers) will need updates to read the new semantics.
Operational impact and immediate actions: test v1.34 in staging (kubeadm/minikube/GKE/EKS images), coordinate driver and CSI updates before enabling DRA in production, audit image‑pull credential flows and credential providers to use projected tokens, and verify autoscaling and custom controllers against pod‑level resource semantics. These changes are actionable and meaningful for real workloads (especially workloads using accelerators, stricter image‑pull security, or multi‑container Pods) — not just incremental surface tweaks.
Source
Read Next
Node.js v25 scheduled for 2025‑10‑15 — semver‑major release imminent
September 30, 2025Node.js v25 is scheduled for October 15, 2025 (commit cutoff 2025‑09‑15). Teams should run CI against the new major, validate native modules, and prepare canary deployments.
Azure Functions Proxies: community support ends 2025‑09‑30 — migrate off Proxies now
September 29, 2025Azure announced Azure Functions Proxies will be unsupported after 2025‑09‑30; teams still using Proxies must inventory and migrate to a supported API surface (APIM, Front Door, or a lightweight reverse proxy) immediately.
NodeShield: runtime SBOM enforcement (CBOM) for Node.js limits supply‑chain attacks with negligible overhead
September 28, 2025A new paper introduces NodeShield, a runtime enforcement system that uses SBOMs extended with per‑dependency capabilities (CBOM) to prevent supply‑chain abuses in Node.js with ~98% effectiveness and <1ms overhead.