Kubernetes 1.35 is set to introduce 17 new security features and changes, significantly impacting how clusters operate. A major change is the removal of cgroup v1 support, which Kubernetes has relied on for container management. Starting with this version, cgroups v1 will be disabled by default, pushing users towards the more efficient and secure cgroups v2. If your Linux server still uses cgroups v1, upgrading could lead to issues, so checking compatibility is essential. Another significant update is the enhancement of image pull authorization. Previously, Kubernetes only checked permissions when an image was pulled, leaving room for unauthorized access if an image had already been downloaded. The new feature introduces a policy for verifying credentials, which is crucial for multi-tenant clusters. The default setting will not apply extra verifications to certain images, potentially leading to pod creation failures if not configured correctly. Administrators should ensure their pods have the necessary credentials and adjust monitoring thresholds accordingly. The transition from SPDY to WebSockets in Kubernetes CLI tools also brings security implications. The new API server will require users to have specific permissions for connection upgrades, preventing potential privilege escalations. The addition of constrained impersonation offers more granular control, ensuring users can only impersonate others within their permission limits. Lastly, the introduction of a flagz endpoint will help administrators diagnose Kubernetes components by providing command-line arguments used to start them, improving cluster management overall.