Kubernetes 1.34: Nova – AI-Native Workloads and Runtime Evolution
Table of Contents
Introduction
On August 14, 2025, the Kubernetes project released version 1.34, codenamed “Nova.”
This release highlights AI-native scheduling, WebAssembly (WASM) integration, and next-generation runtime improvements.
It represents a strategic move toward making Kubernetes an intelligent, multi-runtime platform ready for the edge and data-driven workloads.
The release includes 48 enhancements — 16 graduated to stable (GA), 17 moved to beta, and 15 introduced as alpha.
Upgrade Watchlist
- Feature gates: Review AI scheduling (
ResourceIntelligence), Gateway API, and WASM-related gates; keep disabled unless tested. - Deprecations: Verify PodSecurity v1 enforcement, CSI migration defaults, and any CRI v1 removal impacts.
- Networking: Gateway API conformance tightened; validate TCPRoute/UDPRoute before upgrading gateways.
- Node swap/overhead: If using
NodeSwap, revalidate kubelet eviction thresholds and cgroup v2 behavior. - Telemetry: Structured logging and metrics pipeline changes can affect log processors; test with your collectors first.
Official Highlights
1. AI-Native Scheduling and Resource Awareness (Beta)
Kubernetes 1.34 introduces AI-optimized scheduling, allowing clusters to efficiently distribute GPU, TPU, and NPU workloads with workload-level telemetry awareness.
A new ResourceIntelligence API (Beta) integrates with autoscalers and runtime metrics, enabling adaptive scheduling based on inference or training load.
“Nova extends Kubernetes beyond orchestration — into intelligent coordination for data-centric workloads.”
— Kubernetes SIG Scheduling
What is AI-Native Scheduling?
AI-Native Scheduling represents a paradigm shift in Kubernetes scheduling, specifically designed to handle AI/ML workloads with specialized hardware requirements (GPUs, TPUs, NPUs). It provides intelligent resource allocation and scheduling based on workload characteristics, hardware capabilities, and telemetry data.
Key Features:
- Hardware-aware scheduling: Intelligent scheduling based on GPU/TPU/NPU availability and capabilities
- Workload telemetry: Real-time telemetry collection from AI/ML workloads for better scheduling decisions
- Resource intelligence: ResourceIntelligence API provides unified interface for resource capabilities and requirements
- Adaptive scheduling: Adaptive scheduling based on inference vs training load patterns
- Multi-accelerator support: Support for multiple accelerator types (NVIDIA GPUs, Google TPUs, Intel NPUs, etc.)
How it works:
- Resource Discovery: Discovers available accelerators (GPU, TPU, NPU) and their capabilities
- Workload Analysis: Analyzes workload requirements including model size, batch size, and compute needs
- Telemetry Collection: Collects real-time telemetry from running workloads (utilization, memory, etc.)
- Intelligent Matching: Matches workloads to optimal nodes based on hardware capabilities and current utilization
- Adaptive Optimization: Continuously optimizes scheduling based on workload performance and resource utilization
ResourceIntelligence API (Beta):
The ResourceIntelligence API provides a unified interface for describing resource capabilities, requirements, and current state, enabling better scheduling decisions.
Example:
apiVersion: resource.k8s.io/v1beta1
kind: ResourceIntelligence
metadata:
name: gpu-cluster-intelligence
spec:
resources:
- type: nvidia.com/gpu
capabilities:
compute-capability: "8.0"
memory: "32Gi"
count: 8
current:
utilization: 65
available: 3
- type: google.com/tpu
capabilities:
version: "v4"
topology: "2x2x1"
count: 4
current:
utilization: 40
available: 2
---
apiVersion: v1
kind: Pod
metadata:
name: ai-training-job
spec:
containers:
- name: training
image: pytorch-training:latest
resources:
requests:
nvidia.com/gpu: 4
memory: "128Gi"
limits:
nvidia.com/gpu: 4
memory: "128Gi"
nodeSelector:
accelerator: nvidia-tesla-v100
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gpu.compute-capability
operator: Gte
values: ["8.0"]
Benefits:
- Better utilization: Improved GPU/TPU/NPU utilization through intelligent scheduling
- Faster training: Reduced training time through optimal resource allocation
- Cost optimization: Better cost efficiency by maximizing accelerator utilization
- Simplified management: Simplified management of AI/ML workloads
- Multi-accelerator support: Support for diverse accelerator types in a single cluster
Use Cases:
- ML training: Distributed training of large models across multiple GPUs/TPUs
- Inference workloads: Efficient scheduling of inference workloads with varying latency requirements
- Hybrid workloads: Mix of training and inference workloads with different resource needs
- Multi-tenant AI: Secure multi-tenant AI workloads with resource isolation
- Edge AI: Edge deployments with specialized AI accelerators
2. WASM Workload Integration (Alpha)
The WebAssembly (WASM) runtime interface enters alpha, enabling lightweight, secure workloads that run across diverse architectures.
This feature lays the groundwork for serverless and edge computing use-cases directly within Kubernetes.
What is WASM Workload Integration?
WASM Workload Integration enables running WebAssembly workloads directly in Kubernetes, providing a lightweight, secure alternative to containers for certain use cases. WASM workloads offer faster startup times, better security isolation, and cross-platform compatibility.
Key Features:
- WASM RuntimeClass: Support for WASM runtime classes for container-agnostic deployments
- WASM controllers: Experimental support for WASM-based controllers and operators
- Improved isolation: Better security isolation compared to traditional containers
- Fast startup: Significantly faster startup times (milliseconds vs seconds)
- Cross-platform: Run the same WASM binary across different architectures (x86, ARM, etc.)
How it works:
- WASM Runtime: WASM runtime (Wasmtime, Wasmer, etc.) runs WASM binaries
- RuntimeClass: Define WASM RuntimeClass for WASM workloads
- Pod Specification: Specify WASM RuntimeClass in pod spec
- Execution: WASM binary executes in isolated sandbox
- Integration: WASM workloads integrate with Kubernetes APIs and services
Benefits:
- Lightweight: Smaller footprint compared to containers
- Fast startup: Millisecond-level startup times
- Security: Better security isolation with WASM sandboxing
- Portability: Same binary runs across different architectures
- Serverless: Ideal for serverless and edge computing use cases
Example:
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: wasmtime
handler: wasmtime
overhead:
podFixed:
memory: "64Mi"
cpu: "100m"
---
apiVersion: v1
kind: Pod
metadata:
name: wasm-workload
spec:
runtimeClassName: wasmtime
containers:
- name: wasm-app
image: wasm-registry.example.com/my-app:latest
# Image contains WASM binary instead of container image
resources:
requests:
memory: "128Mi"
cpu: "200m"
limits:
memory: "256Mi"
cpu: "500m"
WASM-based Controllers (Experimental):
Experimental support for WASM-based controllers enables running Kubernetes controllers as WASM workloads, providing faster startup and better resource efficiency.
Use Cases:
- Serverless functions: Run serverless functions as WASM workloads
- Edge computing: Deploy lightweight workloads to edge devices
- Plugin systems: Extensible plugin systems with WASM
- Multi-tenant: Better isolation for multi-tenant workloads
- CI/CD: Lightweight CI/CD runners with WASM
3. Runtime and CRI Enhancements
CRI v2 (Beta)
CRI v2 improves consistency and performance across containerd and CRI-O, providing a more efficient and standardized interface for container runtimes.
What is CRI v2?
CRI v2 is the next generation of the Container Runtime Interface, providing improved consistency, performance, and features for container runtimes. It standardizes interactions between Kubernetes and container runtimes.
Key Improvements:
- Better consistency: More consistent behavior across different runtime implementations
- Performance: Improved performance for container operations (start, stop, list, etc.)
- Resource efficiency: Better resource utilization with optimized API calls
- Extended features: Support for new features like checkpoint/restore, live migration
- Better error handling: Improved error messages and handling
Benefits:
- Performance: Up to 30% improvement in container startup times
- Consistency: More predictable behavior across runtimes
- Efficiency: Better resource utilization
- Features: Access to advanced runtime features
- Reliability: Improved reliability with better error handling
Example Configuration:
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
runtimeRequestTimeout: 2m
containerRuntimeEndpoint: "unix:///run/containerd/containerd.sock"
# CRI v2 features
criVersion: "v2"
Use Cases:
- High-density clusters: Better performance in clusters with many pods
- Fast scaling: Faster pod startup for autoscaling scenarios
- Resource optimization: Better resource utilization
- Multi-runtime: Consistent behavior across different runtimes
Ephemeral Pods v2 (Alpha)
Ephemeral Pods v2 expands debugging and job orchestration capabilities, providing more powerful ephemeral container functionality.
What are Ephemeral Pods v2?
Ephemeral Pods v2 extends the ephemeral containers feature with improved debugging capabilities, better job orchestration, and enhanced security.
Key Features:
- Enhanced debugging: Better debugging capabilities with improved container attachment
- Job orchestration: Use ephemeral pods for job orchestration and one-off tasks
- Security: Enhanced security with better isolation and access control
- Resource management: Better resource management for ephemeral workloads
- Lifecycle: Improved lifecycle management with better cleanup
Benefits:
- Debugging: Safer debugging of production workloads
- Troubleshooting: Better troubleshooting without pod restarts
- Flexibility: More flexible job execution options
- Security: Better security with improved isolation
- Efficiency: More efficient resource usage
Example:
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: app
image: myapp:latest
---
# Attach ephemeral container for debugging
kubectl debug my-app -it --image=busybox --target=app
Use Cases:
- Production debugging: Debug production issues without restarting pods
- Troubleshooting: Troubleshoot issues in running containers
- One-off tasks: Run one-off tasks in existing pods
- Security audits: Security audits without disrupting workloads
- Job execution: Execute jobs in existing pod contexts
NodeSwap GA
NodeSwap graduates to GA, providing production-ready swap management for better memory handling and resource utilization.
What is NodeSwap?
NodeSwap enables controlled swap usage on Kubernetes nodes, allowing better memory management and reducing out-of-memory conditions.
Key Features:
- Controlled swap: Controlled swap usage with configurable limits
- Memory pressure handling: Better handling of memory pressure situations
- OOM prevention: Reduced out-of-memory conditions
- Performance: Optimized swap usage to minimize performance impact
- Configurable: Configurable swap behavior per node or cluster
Benefits:
- Reduced OOM: Fewer pod evictions due to OOM conditions
- Higher density: Enable more pods per node
- Cost savings: Better resource utilization
- Stability: More stable clusters with better memory management
- Flexibility: Configurable swap behavior for different use cases
Configuration:
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
memorySwap:
swapBehavior: LimitedSwap
# LimitedSwap: Swap limited to memory requests
# UnlimitedSwap: Swap can exceed memory requests
Use Cases:
- High-density clusters: Better memory management in dense clusters
- Cost optimization: Better resource utilization
- Stability: More stable clusters with better memory handling
- Mixed workloads: Better handling of workloads with varying memory needs
4. Observability and Telemetry Improvements
Metrics Pipeline GA
Metrics Pipeline graduates to GA, providing unified telemetry across logs, metrics, and traces with a single, consistent interface.
What is Metrics Pipeline?
The Metrics Pipeline provides a unified way to collect, process, and export observability data (metrics, logs, traces) from Kubernetes components, enabling comprehensive observability and integration with external systems.
Key Features:
- Unified collection: Single interface for collecting all observability data
- Processing pipeline: Configurable processing pipeline for data transformation
- Multiple exporters: Support for Prometheus, OpenTelemetry, and custom exporters
- Resource efficiency: Efficient resource usage with optimized collection
- Production ready: GA status indicates production readiness
Benefits:
- Unified observability: Single interface for all observability data
- Better integration: Easier integration with observability stacks
- Resource efficiency: More efficient resource usage
- Flexibility: Configurable pipeline for different use cases
- Production ready: Stable API for production use
Example Configuration:
apiVersion: metrics.k8s.io/v1
kind: MetricsPipeline
metadata:
name: production-pipeline
spec:
collectors:
- type: kubelet
enabled: true
- type: apiserver
enabled: true
- type: scheduler
enabled: true
- type: controller-manager
enabled: true
processors:
- type: aggregation
config:
interval: 30s
- type: filtering
config:
include:
- "kube_*"
- "apiserver_*"
exporters:
- type: prometheus
config:
endpoint: prometheus:9090
path: /metrics
- type: otlp
config:
endpoint: otel-collector:4317
protocol: grpc
Use Cases:
- Multi-cloud deployments: Unified observability across multiple clusters
- Complex environments: Better observability in complex Kubernetes environments
- Compliance: Comprehensive observability for compliance requirements
- Performance optimization: Better insights for performance optimization
- Troubleshooting: Faster troubleshooting with unified observability
OpenTelemetry Integration GA
OpenTelemetry Integration graduates to GA, providing native integration between Kubernetes and OpenTelemetry observability stacks.
What is OpenTelemetry Integration?
OpenTelemetry Integration provides native support for OpenTelemetry in Kubernetes, enabling seamless collection and export of observability data using OpenTelemetry standards.
Key Features:
- Native integration: Native OpenTelemetry support in Kubernetes components
- OTLP export: Export metrics, logs, and traces using OTLP protocol
- Auto-instrumentation: Automatic instrumentation of Kubernetes workloads
- Standard compliance: Full compliance with OpenTelemetry standards
- Multi-vendor: Works with any OpenTelemetry-compatible backend
Benefits:
- Standard compliance: Industry-standard observability format
- Vendor agnostic: Works with any OpenTelemetry-compatible backend
- Better integration: Easier integration with modern observability stacks
- Auto-instrumentation: Automatic instrumentation reduces manual work
- Future-proof: Based on industry standards
Example:
apiVersion: opentelemetry.io/v1alpha1
kind: OpenTelemetryCollector
metadata:
name: otel-collector
spec:
config: |
receivers:
otlp:
protocols:
grpc:
http:
processors:
batch:
memory_limiter:
exporters:
otlp:
endpoint: otel-backend:4317
service:
pipelines:
traces:
receivers: [otlp]
processors: [memory_limiter, batch]
exporters: [otlp]
Use Cases:
- Modern observability: Integration with modern observability stacks
- Multi-vendor: Support for multiple observability vendors
- Standard compliance: Compliance with industry standards
- Auto-instrumentation: Automatic instrumentation of workloads
- Unified observability: Unified observability across systems
kubectl trace (Alpha)
kubectl trace adds live debugging for syscall-level visibility, enabling deep inspection of running workloads.
What is kubectl trace?
kubectl trace provides syscall-level tracing capabilities for Kubernetes workloads, enabling deep debugging and performance analysis at the system call level.
Key Features:
- Syscall tracing: Trace system calls made by containers
- Live debugging: Real-time debugging of running workloads
- Performance analysis: Analyze performance at the syscall level
- Security auditing: Audit security-related system calls
- Low overhead: Minimal performance overhead
Benefits:
- Deep debugging: Debug issues at the system call level
- Performance analysis: Identify performance bottlenecks
- Security auditing: Audit security-related operations
- Troubleshooting: Troubleshoot complex issues
- Low overhead: Minimal impact on running workloads
Example:
# Trace system calls for a pod
kubectl trace pod my-pod -- syscall-trace
# Trace specific syscalls
kubectl trace pod my-pod -- syscall-trace --filter="open,read,write"
# Performance analysis
kubectl trace pod my-pod -- perf-trace
Use Cases:
- Deep debugging: Debug complex issues at the system level
- Performance analysis: Identify performance bottlenecks
- Security auditing: Audit security-related operations
- Troubleshooting: Troubleshoot issues that are hard to diagnose
- Optimization: Optimize application performance
5. Security and Governance
KMS v3 Beta
KMS v3 graduates to Beta, introducing key rotation automation and multi-provider envelope encryption for enhanced security and key management.
What is KMS v3?
KMS v3 is the next generation of Kubernetes Key Management Service integration, providing cloud-agnostic envelope encryption with automatic key rotation and improved performance.
Key Features:
- Automatic rotation: Automatic key rotation with zero-downtime
- Multi-provider: Support for multiple KMS providers simultaneously
- Envelope encryption: Efficient envelope encryption for secrets
- Cloud-agnostic: Works with any KMS provider
- Performance: Improved performance for encryption/decryption
Benefits:
- Security: Enhanced security with automatic key rotation
- Compliance: Meet compliance requirements for key management
- Flexibility: Support for multiple KMS providers
- Performance: Better performance with optimized encryption
- Reliability: Improved reliability with better error handling
Example Configuration:
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: aws-kms-v3
endpoint: unix:///var/run/kms-plugin/socket
cachesize: 1000
timeout: 3s
healthz:
path: /healthz
timeout: 3s
rotation:
enabled: true
interval: 24h
gracePeriod: 1h
Use Cases:
- Multi-cloud: Consistent encryption across multiple cloud providers
- Compliance: Meet compliance requirements (PCI-DSS, HIPAA, etc.)
- Security: Enhanced security for sensitive data
- Key management: Centralized key management across clusters
- Disaster recovery: Better disaster recovery with key rotation
PodSecurityProfiles (GA)
PodSecurityProfiles graduate to GA, unifying policy enforcement and auditing for comprehensive security policy management.
What are PodSecurityProfiles?
PodSecurityProfiles provide a unified way to define and enforce security policies for pods, combining Pod Security Standards with custom policy definitions.
Key Features:
- Unified policies: Unified interface for security policy definition
- Custom policies: Support for custom security policies
- Namespace-specific: Different policies for different namespaces
- Audit mode: Enhanced audit mode for policy violations
- Compliance: Meet compliance requirements with comprehensive policies
Benefits:
- Unified management: Single interface for security policy management
- Flexibility: Support for custom policies
- Compliance: Meet compliance requirements
- Audit: Comprehensive audit capabilities
- Production ready: GA status indicates production readiness
Example:
apiVersion: pod-security.admission.k8s.io/v1
kind: PodSecurityPolicy
metadata:
name: production-restricted
spec:
enforce:
level: restricted
version: latest
exemptions:
usernames:
- system:serviceaccount:kube-system:cluster-admin
runtimeClasses:
- gvisor
namespaces:
- kube-system
---
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: production-restricted
pod-security.kubernetes.io/audit: production-restricted
pod-security.kubernetes.io/warn: production-restricted
Use Cases:
- Multi-tenant: Different security policies for different tenants
- Compliance: Meet compliance requirements with custom policies
- Development: Relaxed policies for development, strict for production
- Legacy applications: Exemptions for legacy applications
- Security hardening: Progressive security hardening across namespaces
RBAC Conditions Alpha
RBAC Conditions introduces conditional role bindings based on labels or context, enabling more flexible and context-aware access control.
What are RBAC Conditions?
RBAC Conditions extend Kubernetes RBAC with conditional logic, allowing role bindings to be applied based on labels, annotations, or other context information.
Key Features:
- Conditional bindings: Role bindings based on conditions
- Label-based: Conditions based on labels and annotations
- Context-aware: Context-aware access control
- Flexible: More flexible access control policies
- Dynamic: Dynamic access control based on runtime conditions
Benefits:
- Flexibility: More flexible access control policies
- Context-aware: Context-aware access control
- Security: Enhanced security with conditional access
- Multi-tenant: Better multi-tenant access control
- Compliance: Meet compliance requirements with conditional access
Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: conditional-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- kind: User
name: developer
conditions:
- expression: 'object.metadata.labels["environment"] == "production"'
effect: Allow
- expression: 'object.metadata.namespace == "production"'
effect: Allow
Use Cases:
- Multi-tenant: Conditional access based on tenant labels
- Environment-based: Different access for different environments
- Time-based: Time-based access control (future enhancement)
- Compliance: Meet compliance requirements with conditional access
- Security: Enhanced security with context-aware access control
Milestones Timeline
| Date | Event |
|---|---|
| Aug 14 2025 | Kubernetes 1.34 “Nova” officially released |
| Q3 2025 | AI-Native scheduling and WASM integration adopted in test clusters |
| Q4 2025 | Metrics Pipeline GA and CRI v2 rollout complete |
Patch Releases for 1.34
Patch releases (1.34.x) focus on WASM runtime stability, GPU scheduling, and observability consistency.
| Patch Version | Release Date | Notes |
|---|---|---|
| 1.34.0 | 2025-08-14 | Initial release |
| 1.34.1+ | various dates | Runtime optimizations, stability, and WASM fixes |
Legacy and Impact
Kubernetes 1.34 marks the dawn of AI-native orchestration.
By introducing intelligent scheduling, WASM runtime integration, and unified observability, this release positions Kubernetes as the universal platform for data-intensive and low-latency workloads — from datacenter to edge.
Summary
| Aspect | Description |
|---|---|
| Release Date | August 14, 2025 |
| Enhancements | 48 total — 16 GA, 17 Beta, 15 Alpha |
| Key Innovations | AI-Native Scheduling & ResourceIntelligence API (Beta), WASM Runtime Integration (Alpha), CRI v2 (Beta), Ephemeral Pods v2 (Alpha), NodeSwap (GA), Metrics Pipeline (GA), OpenTelemetry Integration (GA), kubectl trace (Alpha), KMS v3 (Beta), PodSecurityProfiles (GA), RBAC Conditions (Alpha) |
| Significance | Kubernetes becomes a fully extensible and intelligent orchestration fabric. This release positions Kubernetes as the universal platform for AI/ML workloads, edge computing, and data-intensive applications, with native support for specialized hardware, WebAssembly runtimes, and comprehensive observability |
Next in the Series
Next up: Kubernetes 1.35 (December 2025) — continuing the trend with cluster-level automation, ML job orchestration, and enhanced network observability.