Kubernetes v1.36 Fixes a Risky Kubelet RBAC Gap

The Kubernetes v1.36 release and its dedicated fine-grained kubelet authorization announcement deserve attention from every SRE team that runs node-level agents. The change reduces how much power you must hand to metrics scrapers, log collectors, and health-check workloads.

What Changed in Kubernetes v1.36?

Before v1.36, many kubelet API requests were authorized through the coarse nodes/proxy subresource. That was a problem because the same permission used for reading kubelet data could also expose sensitive kubelet capabilities, including command execution paths.

With KubeletFineGrainedAuthz now stable and always enabled, kubelet checks more specific subresources first. That includes nodes/metrics, nodes/stats, nodes/pods, nodes/healthz, and nodes/configz. Existing nodes/proxy access still works as a fallback, so upgrades stay smooth while teams tighten RBAC over time.

Why SRE Teams Should Care

This is a classic least-privilege fix. A monitoring DaemonSet that only needs /metrics should not also inherit broad kubelet proxy access. The Kubernetes kubelet auth docs now make that split explicit.

For operators, the practical win is smaller blast radius. If a telemetry or diagnostics agent gets compromised, fine-grained RBAC limits what it can reach on each node. That is especially useful in shared clusters where many node-level agents accumulate over time.

Installation

There is no separate addon to install. Fine-grained kubelet authorization is built into Kubernetes v1.36 and locked on by default. The main work is reviewing old RBAC rules that still grant nodes/proxy.

Usage

A common cleanup is changing a monitoring role from broad proxy access to specific metrics access.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring-agent
rules:
  - apiGroups: [""]
    resources: ["nodes/metrics", "nodes/stats"]
    verbs: ["get"]

This pattern covers the usual kubelet scrape path without handing the workload general proxy permissions on every node.

Operational Tips

Start by grepping your manifests and Helm values for nodes/proxy. Focus first on Prometheus integrations, custom observability DaemonSets, and internal health agents. Upgrade to v1.36, confirm scrapes still work, then replace broad grants with narrower kubelet subresources in stages.

Conclusion

Kubernetes v1.36 is a good reminder that not every high-value release feature is flashy. Fine-grained kubelet authorization removes a long-standing RBAC footgun and gives platform teams a safer default for node monitoring.

If you are building reliable, AI-assisted operations, Akmatori helps teams automate infrastructure workflows and incident response. Backed by Gcore, we are building tools for modern SRE and platform teams.