State of DevOps 2026

January 2, 2026

Three infrastructure shifts defined 2025: security vulnerabilities forced architectural change (IngressNightmare exposed 43% of cloud environments per Wiz analysis; ingress-nginx retires March 2026), AI moved from code suggestion to autonomous operation (GitHub Copilot coding agent, AWS Frontier Agents, Amazon Bedrock AgentCore), and supply chain attacks evolved into automated propagation (Shai-Hulud worm compromised ~800 npm packages across two waves via stolen credentials).

Infographic summarizing major DevOps trends from 2025 and priorities for 2026. The left side highlights 2025 defining shifts, including critical vulnerabilities like IngressNightmare forcing architectural changes, AI evolving from code assistants into autonomous agents, and AI-driven throughput gains that also increased instability and rework. It also shows cloud market share in Q3 2025 with AWS at about 29%, Microsoft Azure at about 20%, and Google Cloud at about 13%. The right side outlines a 2026 action plan with key steps such as migrating off ingress-nginx by March 2026 due to end of support, hardening software supply chains with trusted publishing, upgrading Kubernetes nodes to newer cgroup and container runtimes, and defining clear human-approval boundaries for autonomous AI agents.
The State of DevOps: 2025 in Review, 2026 in Focus

The 2025 DORA Report quantified the AI trade-off: positive correlation with throughput, negative correlation with stability. They added Rework Rate as a fifth metric to capture this. Dynamic Resource Allocation reached GA in v1.34; In-Place Pod Resize reached GA in v1.35. IBM completed the HashiCorp acquisition for $6.4B. GitHub Actions processes 71 million jobs daily with up to 39% price reductions effective January 2026.

Actions for 2026: Migrate from ingress-nginx to Gateway API before March 2026 retirement. Upgrade Kubernetes nodes to cgroup v2 and containerd 2.0+ before v1.36. Complete Grafana Agent to Alloy migration (EOL November 2025). Audit GitHub Actions self-hosted runner usage for pricing changes. Define human-approval boundaries for AI coding agents in production workflows. Track the DevOps Research and Assessment Rework Rate metric alongside throughput for AI-assisted development.


DevOps 2025 Timeline

January 2025

January 15
announcement

KubeCon EU 2025 Schedule

CNCF publishes KubeCon EU 2025 schedule: 2,939 submissions, 229 sessions accepted for London event.

February 2025

February 27
milestone

IBM Closes HashiCorp Acquisition

IBM closes HashiCorp acquisition for $6.4B after UK CMA clearance. HashiCorp becomes a division of IBM Software with planned Red Hat Ansible and watsonx integration. Fidelity announces migration from Terraform to OpenTofu.
February 28
announcement

nftables kube-proxy Guidance

Kubernetes publishes nftables kube-proxy guidance. IPVS mode's long-term future is uncertain; nftables recommended as the forward path, iptables remains default for compatibility.

March 2025

March 24
security

IngressNightmare Disclosed

Wiz Research discloses IngressNightmare: five CVEs in ingress-nginx controller. CVE-2025-1974 rated CVSS 9.8, an RCE exploitable from anywhere on pod network. Rapid7 confirms 43% of cloud environments vulnerable, 6,500+ clusters publicly exposed with vulnerable admission controllers. Patched versions: 1.12.1 and 1.11.5. Wiz had reported CVE-2025-1974 and CVE-2025-24514 to Kubernetes on December 31, 2024. More CVEs disclosed: - CVE-2025-24513: auth secret file path traversal (Medium) - CVE-2025-24514: config injection via auth-url annotation (High) - CVE-2025-1097: config injection via auth-tls-match-cn annotation (High) - CVE-2025-1098: config injection via mirror annotations (High)
Slide titled "IngressNightmare Exposed an Architectural Failure Point" highlighting the impact of the IngressNightmare vulnerability. It states that Wiz and Rapid7 found 43% of cloud environments vulnerable, based on Wiz and Rapid7 analysis from March 2025. The slide lists key details including CVE-2025-1974, a critical remote code execution issue with a CVSS score of 9.8 exploitable from anywhere on the pod network, and notes that over 6,500 Kubernetes clusters were publicly exposed through vulnerable admission controllers. More related vulnerabilities involving configuration injection and path traversal are also listed.
IngressNightmare: How a Kubernetes Ingress Flaw Exposed a Single Point of Failure

April 2025

April 1-4
event

KubeCon EU London

April 10
release

GitHub Actions macOS 15 and Windows 2025

April 23
release

Kubernetes v1.33 "Octarine"

Kubernetes v1.33 "Octarine" released. 64 enhancements (18 stable, 20 beta, 24 alpha, 2 deprecated/withdrawn). In-Place Pod Resize moves to beta.

May 2025

May 7
event

GrafanaCON 2025

GrafanaCON 2025 in Seattle. Grafana 12 released with observability-as-code capabilities. Agentic LLM built into Grafana announced.
May 19
release

GitHub Copilot Coding Agent

GitHub introduces Copilot coding agent at Microsoft Build 2025: asynchronous agent that spins up secure dev environments via GitHub Actions, adds features, pushes commits to draft PRs. Agent Mode handles terminal commands, tool calls, and self-heals runtime errors. Available to Copilot Pro+ and Enterprise users (changelog).
May 20
milestone

JumpCloud Acquires VaultOne

JumpCloud acquires VaultOne for PAM capabilities.
May 22
announcement

Stargate UAE Datacenter

Stargate UAE datacenter announced to begin operations 2026.

June 2025

June 9-13
event

WWDC 2025

WWDC 2025. Apple open-sources containerization framework and container CLI, providing native Linux container support for macOS with sub-second start times.
June 10-11
event

KubeCon China Hong Kong

July 2025

July 2
milestone

HPE Completes Juniper Acquisition

HPE completes $14B Juniper acquisition. Combined AI-driven networking portfolio.
July 11
release

crates.io Trusted Publishing

crates.io enables trusted publishing via OIDC. RubyGems had trusted publishing since December 2023.
July 17
release

GitHub Actions M2 Pro Runners

GitHub Actions: M2 Pro runners with GPU acceleration in public preview.
July 22
announcement

Oracle and OpenAI Expand Stargate Partnership

Oracle and OpenAI expand Stargate partnership to 4.5GW. OpenAI agrees to pay Oracle $30B/year for data center services.
July 24
milestone

Argo CD Majority-Adopted GitOps Solution

CNCF survey: Argo CD majority-adopted GitOps solution. NPS 79, running in ~60% of surveyed clusters, 97% in production. Argo CD 3.0 (GA May 6, 2025) cited for performance and security improvements.
July 31
release

npm Trusted Publishing GA

npm trusted publishing with OIDC GA. Secure package publishing from CI/CD without long-lived tokens.
Timeline infographic titled "The Supply Chain Hardens: Trusted Publishing Becomes the Standard." It shows the adoption of trusted publishing across major package registries, starting with RubyGems in December 2023, followed by crates.io on July 11, 2025, npm reaching general availability on July 31, 2025, and NuGet on September 22, 2025. A callout explains trusted publishing as a security mechanism that allows CI/CD systems to publish packages using short-lived OIDC tokens instead of long-lived, stealable secrets. The slide also notes that Docker Hardened Images with SLSA Build Level 3 provenance were open-sourced in December 2025.
Trusted Publishing Goes Mainstream: A New Standard for Software Supply Chain Security

August 2025

August 7
release

GitHub Actions ARM64 Runners GA

GitHub Actions: ARM64 runners GA for public repos (Linux and Windows).
August 22
milestone

Databricks Announces Tecton Acquisition

August 27
release

Kubernetes v1.34 "Of Wind & Will"

Kubernetes v1.34 "Of Wind & Will" released. 58 enhancements (23 stable, 22 beta, 13 alpha). Dynamic Resource Allocation reaches GA with first-class support for GPU, TPU, and NIC scheduling. Contributions from 106 companies and 491 individuals.

September 2025

September 16
security

Chaos Mesh Vulnerabilities Disclosed

JFrog discloses Chaos Mesh vulnerabilities ("Chaotic Deputy"). Four CVEs including three critical (CVSS 9.8) enabling cluster takeover via exposed GraphQL endpoint. Affects Azure Chaos Studio. Fixed in Chaos Mesh 2.7.3.
September 18
release

GitHub Actions YAML Anchors Support

GitHub Actions: YAML anchors support added.
September 22
release

NuGet Trusted Publishing

NuGet enables trusted publishing via OIDC for GitHub Actions.
September 23
security

Shai-Hulud npm Supply Chain Attack

CISA issues alert on Shai-Hulud npm supply chain attack. 500+ packages compromised via stolen maintainer credentials. Self-replicating worm targeted CI/CD systems for secret theft and persistence. StepSecurity documents affected packages including ctrl-tinycolor.
Slide titled "Shai-Hulud: A Self-Replicating Worm Weaponized the Supply Chain" describing a large-scale npm supply-chain attack. It outlines four stages of the attack: compromise of maintainer credentials, injection of malicious code into more than 500 npm packages, propagation by targeting CI/CD systems, and exfiltration of secrets to establish persistence. The slide notes an initial attack in September 2025 that triggered a CISA alert with over 500 packages compromised, a second wave in November 2025 infecting hundreds more packages using a runner agent named "SHA1Hulud," and impacts on high-profile maintainer accounts including Zapier, PostHog, and Postman.
Shai-Hulud: How a Self-Replicating Worm Weaponized the Software Supply Chain
milestone

2025 DORA Report Published

2025 DORA Report published: "State of AI-assisted Software Development." Introduces seven team archetypes blending delivery performance with human factors. Findings: AI adoption correlates positively with throughput, negatively with stability (more change failures, increased rework). Rework Rate added as fifth DORA metric (CD Foundation, October 16).

October 2025

October 8
milestone

Knative Graduates from CNCF

Knative graduates from CNCF. Serverless on Kubernetes reaches maturity.
October 28-29
event

GitHub Universe 2025

GitHub Universe 2025 in San Francisco. AgentHQ announced, a unified platform for orchestrating AI agents from Anthropic, OpenAI, Google, Cognition, xAI. Single command center to assign, steer, and track agents (InfoQ).

November 2025

November 1
milestone

Grafana Agent EOL

Grafana Agent EOL. Migration to Grafana Alloy required, an OpenTelemetry-native collector with built-in Prometheus pipelines.
November 5
release

Mimir 3.0 Released

Mimir 3.0 released at KubeCon NA. Metrics backend for Prometheus and OpenTelemetry at scale.
November 6
milestone

Crossplane Graduates from CNCF

Crossplane graduates from CNCF. 3,000+ contributors from 450+ organizations. Platform engineering infrastructure primitive.
November 10-13
event

KubeCon NA Atlanta

KubeCon NA Atlanta. 9,300+ attendees. 2025 marks Kubernetes' 11th year (first commit June 6, 2014) and CNCF's 10th anniversary.
November 11
release

Docker Engine v29 Released

Docker Engine v29 released: containerd image store default for new installs, API version 1.44, versions older than v25 EOL, legacy graph drivers deprecated.
announcement

ingress-nginx Retirement Announced

ingress-nginx retirement announced. Best-effort maintenance until March 2026, then no releases, bugfixes, or security updates. Gateway API is the forward-looking standard. Options: Envoy Gateway, NGINX Gateway Fabric, Cilium Gateway, Istio Gateway.
announcement

CNCF Certified Kubernetes AI Conformance Program

CNCF launches Certified Kubernetes AI Conformance Program to standardize AI/ML workload execution.
November 12
release

Docker Desktop 4.50 Released

Docker Desktop 4.50 released: MCP onboarding, Dynamic MCPs, IDE integration (VSCode, Cursor), enterprise governance controls.
November 13
release

GitHub Actions OIDC Token Claims Update

November 25
security

Shai-Hulud Second Wave

Shai-Hulud second wave (Microsoft guidance published December 9). Attack chain with runner agent named SHA1Hulud. 796 packages compromised with ~132M monthly downloads. Affected maintainer accounts: Zapier, PostHog, Postman.
November 30
announcement

AWS Interconnect Preview

AWS Interconnect preview announced at re:Invent. Multicloud networking with Google Cloud as first partner. Microsoft Azure joining later in 2026.

December 2025

November 30–December 4
event

AWS re:Invent 2025

AWS re:Invent 2025. Key announcements: - AWS AI Factories: AI infrastructure in customer data centers - Amazon Bedrock AgentCore: quality evaluations and policy controls for autonomous AI agents at enterprise scale - AWS Frontier Agents: autonomous systems operating for extended periods without human intervention
December 11
milestone

Port Raises $100M Series C

Port raises $100M Series C at $800M valuation. Competing with Backstage in internal developer portal market.
December 16
announcement

GitHub Actions Pricing Changes

GitHub announces Actions cloud platform charge of $0.002/minute for workflows in private repos (public repos and GHES excluded). Charge already included in hosted runner metered rates; also applies to self-hosted runners. Originally March 1, 2026; subsequently postponed while re-evaluating.
December 17
release

Kubernetes v1.35 "Timbernetes"

Kubernetes v1.35 "Timbernetes" released. 60 enhancements (17 stable, 19 beta, 22 alpha). Contributions from 85 companies and 419 individuals. Key changes: - In-Place Pod Resize GA after 6 years (alpha in v1.27, beta in v1.33). CPU/memory changes without pod restarts. - cgroup v1 blocked by default. kubelet won't start on cgroup v1 nodes without failCgroupV1: false in kubelet config. - kube-proxy IPVS deprecated. Warning emitted; nftables recommended. - containerd 1.x support ends after v1.35. Use kubelet_cri_losing_support metric to identify affected nodes. - Fine-grained Supplemental Groups Control GA - Kubelet Configuration Drop-in Directory GA - External Job Controller GA (.spec.managedBy)
release

Docker Hardened Images Open Sourced

Docker Hardened Images made free and open source under Apache 2.0. 1,000+ images with SBOM, CVE data, SLSA Build Level 3 provenance.
December 30
milestone

Backstage 2025 Wrapped

Backstage 2025 Wrapped: 3,400+ adopters (LinkedIn, CVS Health, Vodafone), 250+ open source plugins. 89% IDP market share per DX survey.

Observability Survey Data (2025)

Grafana Labs 2025 Observability Survey:


M&A Summary (2025)

DealValueStatusSource
Google + Wiz$32BAnnouncedGoogle
Charter + Cox$34.5BAnnouncedAP News
Oracle + OpenAI (Stargate)$30B/yearAnnouncedOpenAI, Reuters, TechCrunch
Palo Alto + CyberArk~$25BAnnouncedPalo Alto
HPE + Juniper~$14BCompleted Jul 2HPE
IBM + HashiCorp$6.4BCompleted Feb 27IBM

US M&A pace: ~$2.3 trillion (Harvard Law Forum). Global deal value: ~$4.8T (Bain).


Cloud Market Share (Q3 2025)

ProviderShare
AWS~29%
Microsoft Azure~20%
Google Cloud~13%

Top 3 hold ~63% of global cloud infrastructure spending.


DevOps 2026 Watchlist

Slide titled "Your 2026 Mission Briefing: A Strategic Watchlist" outlining three focus areas. "The Agent Ascendant" emphasizes defining operational boundaries for AI agents, requiring human approval for high-risk changes, tracking rework rate alongside throughput and stability, and evaluating dynamic resource allocation for GPU and AI workloads. "The Hardened Perimeter" focuses on completing migration from ingress-nginx to a Gateway API before March 2026, enabling trusted publishing with OIDC across package registries, and auditing CI/CD secrets with token rotation to mitigate supply-chain threats like Shai-Hulud. "The Shifting Foundation" highlights upgrading Kubernetes nodes to cgroup v2 and containerd 2.0+, evaluating sidecarless service mesh options, auditing self-hosted GitHub Actions runners for cost impacts, and testing in-place pod resizing for cost optimization.
Your 2026 Mission Briefing: A Strategic DevOps & Platform Watchlist

1. ingress-nginx Retirement

When: March 2026. No releases, bugfixes, or security updates after this date.
Context: IngressNightmare (CVE-2025-1974) exposed architectural risks. Gateway API is the forward-looking standard.
Action: Inventory ingress-nginx deployments. Select Gateway API implementation (Envoy Gateway, NGINX Gateway Fabric, Cilium Gateway, Istio Gateway). Complete migration before deadline.


2. GitHub Actions Pricing

When: January 1, 2026. Up to 39% price reduction for GitHub-hosted runners. Actions cloud platform charge ($0.002/minute for private repo workflows) postponed from original March 1, 2026 date; revised timeline TBD. Charge already included in hosted runner rates; also applies to self-hosted runners.
Context: GitHub re-evaluating pricing model after community feedback. Public repos and GHES excluded.
Action: Audit self-hosted runner usage in private repos. Budget for eventual charges or review alternatives.


3. Kubernetes Node Requirements

When: Now (v1.35 released December 2025). containerd 1.x support ends after v1.35; next Kubernetes version (~April 2026) will require containerd 2.0+.
Context: kubelet blocks cgroup v1 nodes by default in v1.35 (override: failCgroupV1: false). v1.35 is last release supporting containerd 1.x. Metric: kubelet_cri_losing_support.
Action: Migrate nodes to cgroup v2. Upgrade containerd to 2.0+ before next Kubernetes version.


4. AI Agent Operational Boundaries

When: Ongoing. GitHub Copilot coding agent, AWS Frontier Agents, and Bedrock AgentCore available now. Adoption accelerating through 2026.
Context: DORA 2025 found AI correlates with increased throughput but decreased stability (more change failures, increased rework).
Action: Define automation boundaries (read-only vs. mutating). Require human approval for high-blast-radius changes. Track Rework Rate alongside throughput. Maintain error budget discipline.


5. Supply Chain Attestation

When: Now. Trusted publishing available: RubyGems (Dec 2023), crates.io (July 11, 2025), npm (July 31, 2025), NuGet (Sept 22, 2025). Docker Hardened Images with SLSA Build Level 3 available December 17, 2025.
Context: Shai-Hulud compromised 500+ npm packages via stolen maintainer credentials in September. Second wave in November compromised 796 more packages.
Action: Enable trusted publishing on all registries. Add SLSA attestation. Audit CI/CD secrets access. Rotate tokens.


6. OpenTofu vs. Terraform

When: Track through 2026. IBM completed HashiCorp acquisition February 2025; governance direction should clarify over next 12 months.
Context: Fidelity migrated to OpenTofu. OpenTofu provides Terraform-compatible open governance alternative.
Action: Track IBM's governance decisions. Review OpenTofu based on vendor lock-in tolerance.


7. Service Mesh Architecture

When: Review in 2026. Istio Ambient Mode GA since November 2024. Istio 2025-2026 roadmap focuses on sidecar-to-ambient migration path.
Context: Sidecarless architectures (Istio Ambient, Cilium) reduce resource overhead. Migration paths maturing.
Action: Review sidecarless architecture for resource reduction. Review migration path if running sidecar-based mesh.


8. Internal Developer Portals

When: Review when planning platform investments. Market actively consolidating.
Context: Backstage: 3,400+ adopters, 250+ plugins, requires investment to customize. Port: $100M Series C at $800M valuation, turnkey alternative.
Action: Review based on platform team capacity and customization requirements.


9. Hardware-Aware Kubernetes Scheduling

When: Now. Dynamic Resource Allocation GA in v1.34 (August 2025). In-Place Pod Resize GA in v1.35 (December 2025).
Context: DRA enables first-class GPU/TPU/NIC scheduling. In-Place Pod Resize allows CPU/memory changes without pod restarts after 6 years of development.
Action: Review DRA for GPU workloads. Test In-Place Pod Resize for variable workloads and cost optimization.


10. Multicloud Networking

When: AWS Interconnect with Google Cloud in preview now. Azure joining later 2026. GA timeline TBD.
Context: First-party multicloud networking between major cloud providers.
Action: Review for multicloud deployments when GA.

Enjoyed this article?

Subscribe to get more deep-dives in your inbox.

Continue Reading

Stay ahead of the curve

Weekly deep-dives into programming languages, frameworks, and the tools shaping software engineering.