At KubeCon EU 2026 in Amsterdam, Broadcom announced VMware vSphere Kubernetes Service (VKS) 3.6 and submitted the Velero backup project to the CNCF Sandbox. VKS 3.6 brings Kubernetes 1.35 support, RHEL 9 compatibility, declarative performance tuning, and improved upgrade safety for enterprise platform teams.
Broadcom lets it be known that it is among the top five long-term contributors to CNCF projects. That position, the company says, is reflected in VKS’s continued CNCF-certified Kubernetes releases. The Velero Sandbox application was filed in February, kicking off a process that will bring the project under vendor-neutral governance. Widening the contributor base and aligning governance with CNCF standards are the stated goals.
“As organizations scale their cloud native workloads, the focus is shifting from simple orchestration to long-term resilience and data management,” says Chris Aniszczyk, CTO, CNCF. “By joining the CNCF Sandbox, Velero gains a vendor-neutral home to foster community collaboration and growth.”
VKS 3.6: tackling day-two operations
The more immediately practical announcement is VKS 3.6. This release of vSphere Kubernetes Service, essentially native containerization within vSphere, targets the day-two operational headaches that enterprise platform teams know well. Kubernetes 1.35 support arrives with 24-month extended version support, meaning large organizations can plan upgrades on their own schedule rather than under fleet-wide pressure.
RHEL 9 now also joins the list of supported operating systems alongside Photon OS 5, Ubuntu 22.04 and 24.04, as well as Windows Server 2022. Both control plane and worker nodes can run RHEL, and VKS continues to allow heterogeneous clusters with different OS per node pool.
VKS 3.6 also introduces declarative TuneD profiles, which allow kernel and sysctl tuning for databases and high-throughput applications through standard Kubernetes workflows. This is without unsupported host customization. Upgrade safety gets attention too: pre-upgrade checks now surface configuration conflicts continuously via the SystemCheckSucceeded condition, rather than only at upgrade time.
Ecosystem and security additions
A supported integration path for Container Network Interface (CNI) partner plugins opens the networking ecosystem while staying within VKS lifecycle and support boundaries. Support will first appear for Cilium and Calico, which are currently in the validation phase for this. Broadcom notes that rival OpenShift from Red Hat can only support one CNI per bare-metal cluster. RHEL licensees can now also bring these paid licenses to VKS.
On the security side, AppArmor profiles can now be managed as Custom Resources, automatically synced across all worker nodes or specific node pools. Workload cluster owners can also generate support bundles without vCenter credentials, reducing friction between Kubernetes and infrastructure teams.
Broadcom is also stepping forward to help organizations move away from NGINX. NGINX is deprecated in the latest Kubernetes release, meaning a replacement is requirement. Broadcom is pushing users towards Avi Gateway API, with a native integration for load balancing to the controller.
For Linux nodes, VKS 3.6 adds nftables backend support for kube-proxy, improving performance and scalability. Broadcom’s previous KubeCon EU presence already signaled its intent to keep VMs and containers as co-equal workload types within VMware Cloud Foundation. VKS 3.6 continues that trajectory. It’s all part of the same push by Broadcom to unify a private cloud experience in VCF irrespective of the workloads, be they cloud-native or standard VMs.