Three infrastructure shifts defined 2025: security vulnerabilities forced architectural change (IngressNightmare exposed 43% of cloud environments per Wiz analysis; ingress-nginx retires March 2026), AI moved from code suggestion to autonomous operation (GitHub Copilot coding agent, AWS Frontier Agents, Amazon Bedrock AgentCore), and supply chain attacks evolved into automated propagation (Shai-Hulud compromised 500+ npm packages via stolen credentials).
The 2025 DORA Report quantified the AI trade-off: positive correlation with throughput, negative correlation with stability. They added Rework Rate as a fifth metric to capture this. Dynamic Resource Allocation reached GA in v1.34; In-Place Pod Resize reached GA in v1.35. IBM completed the HashiCorp acquisition for $6.4B. GitHub Actions processes 71 million jobs daily with up to 39% price reductions effective January 2026.
Migrations required in 2026: ingress-nginx to Gateway API (deadline: March), Grafana Agent to Alloy (EOL: November 2025), cgroup v1 to v2 (kubelet blocks by default in v1.35), containerd 1.x to 2.0+ (v1.35 is last supporting release).
Timeline: 2025
January
January 15 — CNCF publishes KubeCon EU 2025 schedule: 2,939 submissions, 229 sessions accepted for London event.
February
February 27 — IBM closes HashiCorp acquisition for $6.4B after UK CMA clearance. HashiCorp becomes a division of IBM Software with planned Red Hat Ansible and watsonx integration. Fidelity announces migration from Terraform to OpenTofu.
February 28 — Kubernetes publishes nftables kube-proxy guidance. IPVS mode's long-term future is uncertain; nftables recommended as the forward path, iptables remains default for compatibility.
March
March 24 — Wiz Research discloses IngressNightmare: five CVEs in ingress-nginx controller. CVE-2025-1974 rated CVSS 9.8—RCE exploitable from anywhere on pod network. Rapid7 confirms 43% of cloud environments vulnerable, 6,500+ clusters publicly exposed with vulnerable admission controllers. Patched versions: 1.12.1 and 1.11.5. Wiz had reported CVE-2025-1974 and CVE-2025-24514 to Kubernetes on December 31, 2024.
Additional CVEs disclosed:
CVE-2025-24513: auth secret file path traversal (Medium)
CVE-2025-24514: config injection via auth-url annotation (High)
CVE-2025-1097: config injection via auth-tls-match-cn annotation (High)
CVE-2025-1098: config injection via mirror annotations (High)
April
April 1-4 — KubeCon EU London.
April 10 — GitHub Actions: macOS 15 and Windows 2025 images GA.
April 23 — Kubernetes v1.33 "Octarine" released. 64 enhancements (18 stable, 20 beta, 24 alpha, 2 deprecated/withdrawn). In-Place Pod Resize moves to beta.
May
May 7 — GrafanaCON 2025 in Seattle. Grafana 12 released with observability-as-code capabilities. Agentic LLM built into Grafana announced.
May 19 — GitHub introduces Copilot coding agent at Microsoft Build 2025: asynchronous agent that spins up secure dev environments via GitHub Actions, implements features, pushes commits to draft PRs. Agent Mode handles terminal commands, tool calls, and self-heals runtime errors. Available to Copilot Pro+ and Enterprise users (changelog).
May 20 — JumpCloud acquires VaultOne for PAM capabilities.
May 22 — Stargate UAE datacenter announced to begin operations 2026.
June
June 9-13 — WWDC 2025. Apple open-sources containerization framework and container CLI—native Linux container support for macOS with sub-second start times.
June 10-11 — KubeCon China Hong Kong: 71 sessions.
July
July 2 — HPE completes $14B Juniper acquisition. Combined AI-driven networking portfolio.
July 11 — crates.io enables trusted publishing via OIDC. RubyGems had trusted publishing since December 2023.
July 17 — GitHub Actions: M2 Pro runners with GPU acceleration in public preview.
July 22 — Oracle and OpenAI expand Stargate partnership to 4.5GW. OpenAI agrees to pay Oracle $30B/year for data center services.
July 24 — CNCF survey: Argo CD majority-adopted GitOps solution. NPS 79, running in ~60% of surveyed clusters, 97% in production. Argo CD 3.0 (GA May 6, 2025) cited for performance and security improvements.
July 31 — npm trusted publishing with OIDC GA. Secure package publishing from CI/CD without long-lived tokens.
August
August 7 — GitHub Actions: ARM64 runners GA for public repos (Linux and Windows).
August 22 — Databricks announces Tecton acquisition for ML feature platform.
August 27 — Kubernetes v1.34 "Of Wind & Will" released. 58 enhancements (23 stable, 22 beta, 13 alpha). Dynamic Resource Allocation reaches GA—first-class support for GPU, TPU, and NIC scheduling. Contributions from 106 companies and 491 individuals.
September
September 16 — JFrog discloses Chaos Mesh vulnerabilities ("Chaotic Deputy"). Four CVEs including three critical (CVSS 9.8) enabling cluster takeover via exposed GraphQL endpoint. Affects Azure Chaos Studio. Fixed in Chaos Mesh 2.7.3.
September 18 — GitHub Actions: YAML anchors support added.
September 22 — NuGet enables trusted publishing via OIDC for GitHub Actions.
September 23 — CISA issues alert on Shai-Hulud npm supply chain attack. 500+ packages compromised via stolen maintainer credentials. Self-replicating worm targeted CI/CD systems for secret theft and persistence. StepSecurity documents affected packages including ctrl-tinycolor.
September 23 — 2025 DORA Report published: "State of AI-assisted Software Development." Introduces seven team archetypes blending delivery performance with human factors. Findings: AI adoption correlates positively with throughput, negatively with stability (more change failures, increased rework). Rework Rate added as fifth DORA metric (CD Foundation, October 16).
October
October 8 — Knative graduates from CNCF. Serverless on Kubernetes reaches maturity.
October 28-29 — GitHub Universe 2025 in San Francisco. AgentHQ announced—unified platform for orchestrating AI agents from Anthropic, OpenAI, Google, Cognition, xAI. Single command center to assign, steer, and track multiple agents (InfoQ).
November
November 1 — Grafana Agent EOL. Migration to Grafana Alloy required—OpenTelemetry-native collector with built-in Prometheus pipelines.
November 5 — Mimir 3.0 released at KubeCon NA. Metrics backend for Prometheus and OpenTelemetry at scale.
November 6 — Crossplane graduates from CNCF. 3,000+ contributors from 450+ organizations. Platform engineering infrastructure primitive.
November 10-13 — KubeCon NA Atlanta. 9,300+ attendees. 2025 marks Kubernetes' 11th year (first commit June 6, 2014) and CNCF's 10th anniversary.
November 11 — Docker Engine v29 released: containerd image store default for new installs, minimum API version 1.44, versions older than v25 EOL, legacy graph drivers deprecated.
November 11 — ingress-nginx retirement announced. Best-effort maintenance until March 2026, then no releases, bugfixes, or security updates. Gateway API is the forward-looking standard. Options: Envoy Gateway, NGINX Gateway Fabric, Cilium Gateway, Istio Gateway.
November 11 — CNCF launches Certified Kubernetes AI Conformance Program to standardize AI/ML workload execution.
November 12 — Docker Desktop 4.50 released: MCP onboarding, Dynamic MCPs, IDE integration (VSCode, Cursor), enterprise governance controls.
November 13 — GitHub Actions: OIDC token claims include check_run_id.
Late November — Shai-Hulud second wave (Microsoft guidance published December 9). Attack chain with runner agent named SHA1Hulud. Hundreds more packages compromised. Affected maintainer accounts: Zapier, PostHog, Postman.
November 30 — AWS Interconnect preview announced at re:Invent. Multicloud networking with Google Cloud as first partner. Microsoft Azure joining later in 2026.
December
November 30–December 4 — AWS re:Invent 2025. Key announcements:
AWS AI Factories: AI infrastructure in customer data centers
Amazon Bedrock AgentCore: quality evaluations and policy controls for autonomous AI agents at enterprise scale
AWS Frontier Agents: autonomous systems operating for extended periods without human intervention
December 11 — Port raises $100M Series C at $800M valuation. Competing with Backstage in internal developer portal market.
December 16 — GitHub announces Actions cloud platform charge of $0.002/minute for workflows in private repos (public repos and GHES excluded). Charge already included in hosted runner metered rates; applies additionally to self-hosted runners. Originally March 1, 2026; subsequently postponed while re-evaluating.
December 17 — Kubernetes v1.35 "Timbernetes" released. 60 enhancements (17 stable, 19 beta, 22 alpha). Contributions from 85 companies and 419 individuals.
Key changes:
In-Place Pod Resize GA after 6 years (alpha in v1.27, beta in v1.33). CPU/memory adjustments without pod restarts.
cgroup v1 blocked by default. kubelet won't start on cgroup v1 nodes without
failCgroupV1: falsein kubelet config.kube-proxy IPVS deprecated. Warning emitted; nftables recommended.
containerd 1.x support ends after v1.35. Use
kubelet_cri_losing_supportmetric to identify affected nodes.External Job Controller GA (
.spec.managedBy)
December 17 — Docker Hardened Images made free and open source under Apache 2.0. 1,000+ images with SBOM, CVE data, SLSA Build Level 3 provenance.
December 30 — Backstage 2025 Wrapped: 3,400+ adopters (LinkedIn, CVS Health, Vodafone), 250+ open source plugins. 89% IDP market share per DX survey.
Observability Survey Data (2025)
67% use Prometheus in production
41% use OpenTelemetry in production
38% investigating or building OTel POCs
M&A Summary (2025)
Deal | Value | Status | Source |
|---|---|---|---|
Google + Wiz | $32B | Announced | |
Charter + Cox | $34.5B | Announced | |
Oracle + OpenAI (Stargate) | $30B/year | Announced | |
Palo Alto + CyberArk | ~$25B | Announced | |
HPE + Juniper | ~$14B | Completed Jul 2 | |
IBM + HashiCorp | $6.4B | Completed Feb 27 |
US M&A pace: ~$2.3 trillion (Harvard Law Forum). Global deal value: ~$4.8T (Bain).
Provider | Share |
|---|---|
AWS | ~29% |
Microsoft Azure | ~20% |
Google Cloud | ~13% |
Top 3 hold ~63% of global cloud infrastructure spending. Source: Synergy Research Group.
2026 Watchlist
1. ingress-nginx Retirement
When: March 2026 — no releases, bugfixes, or security updates after this date.
Context: IngressNightmare (CVE-2025-1974) exposed architectural risks. Gateway API is the forward-looking standard.
Action: Inventory ingress-nginx deployments. Select Gateway API implementation (Envoy Gateway, NGINX Gateway Fabric, Cilium Gateway, Istio Gateway). Complete migration before deadline.
2. GitHub Actions Pricing
When: January 1, 2026 — up to 39% price reduction for GitHub-hosted runners. Actions cloud platform charge ($0.002/minute for private repo workflows) postponed from original March 1, 2026 date; revised timeline TBD. Charge already included in hosted runner rates; applies additionally to self-hosted runners.
Context: GitHub re-evaluating pricing model after community feedback. Public repos and GHES excluded.
Action: Audit self-hosted runner usage in private repos. Budget for eventual charges or evaluate alternatives.
3. Kubernetes Node Requirements
When: Now (v1.35 released December 2025). containerd 1.x support ends after v1.35; next Kubernetes version (~April 2026) will require containerd 2.0+.
Context: kubelet blocks cgroup v1 nodes by default in v1.35 (override: failCgroupV1: false). v1.35 is last release supporting containerd 1.x. Metric: kubelet_cri_losing_support.
Action: Migrate nodes to cgroup v2. Upgrade containerd to 2.0+ before next Kubernetes version.
4. AI Agent Operational Boundaries
When: Ongoing. GitHub Copilot coding agent, AWS Frontier Agents, and Bedrock AgentCore available now. Adoption accelerating through 2026.
Context: DORA 2025 found AI correlates with increased throughput but decreased stability (more change failures, increased rework).
Action: Define automation boundaries (read-only vs. mutating). Require human approval for high-blast-radius changes. Track Rework Rate alongside throughput. Maintain error budget discipline.
5. Supply Chain Attestation
When: Now. Trusted publishing available: RubyGems (Dec 2023), crates.io (July 11, 2025), npm (July 31, 2025), NuGet (Sept 22, 2025). Docker Hardened Images with SLSA Build Level 3 available December 17, 2025.
Context: Shai-Hulud compromised 500+ npm packages via stolen maintainer credentials. Second wave in November 2025.
Action: Enable trusted publishing on all registries. Implement SLSA attestation. Audit CI/CD secrets access. Rotate tokens.
6. OpenTofu vs. Terraform
When: Monitor through 2026. IBM completed HashiCorp acquisition February 2025; governance direction should clarify over next 12 months.
Context: Fidelity migrated to OpenTofu. OpenTofu provides Terraform-compatible open governance alternative.
Action: Monitor IBM's governance decisions. Evaluate OpenTofu based on vendor lock-in tolerance.
7. Service Mesh Architecture
When: Evaluate in 2026. Istio Ambient Mode GA since November 2024. Istio 2025-2026 roadmap focuses on sidecar-to-ambient migration path.
Context: Sidecarless architectures (Istio Ambient, Cilium) reduce resource overhead. Migration paths maturing.
Action: Evaluate sidecarless architecture for resource reduction. Review migration path if running sidecar-based mesh.
8. Internal Developer Portals
When: Evaluate when planning platform investments. Market actively consolidating.
Context: Backstage: 3,400+ adopters, 250+ plugins, requires investment to customize. Port: $100M Series C at $800M valuation, turnkey alternative.
Action: Evaluate based on platform team capacity and customization requirements.
9. Hardware-Aware Kubernetes Scheduling
When: Now. Dynamic Resource Allocation GA in v1.34 (August 2025). In-Place Pod Resize GA in v1.35 (December 2025).
Context: DRA enables first-class GPU/TPU/NIC scheduling. In-Place Pod Resize allows CPU/memory adjustment without pod restarts after 6 years of development.
Action: Evaluate DRA for GPU workloads. Test In-Place Pod Resize for variable workloads and cost optimization.
10. Multicloud Networking
When: AWS Interconnect with Google Cloud in preview now. Azure joining later 2026. GA timeline TBD.
Context: First-party multicloud networking between major cloud providers.
Action: Evaluate for multicloud deployments when GA.