Contour
v1.33.3Networking & MessagingContour v1.33.3 is a security-focused patch bumping Envoy to v1.35.9 and grpc-go to v1.79.3, with a minor cleanup to example manifests.
securityUpgrade to get the Envoy security fixes
The Envoy bump to v1.35.9 is the main reason to upgrade — it addresses real security vulnerabilities in the data plane. The grpc-go CVE-2026-33186 does not affect Contour, but the Envoy issues are reason enough to prioritize this patch. Plan a rollout soon, especially if your clusters are exposed to untrusted traffic.
breakingCheck custom manifests for the removed hostPort: 8002
If you copied or extended the example manifests and rely on hostPort: 8002 for scraping Envoy metrics directly from the node, that configuration is now gone from the upstream examples. Audit your manifests before upgrading to confirm whether you've inherited this setting and whether any monitoring pipelines depend on it.
Key changes (4)
- Envoy bumped to v1.35.9 to address security vulnerabilities
- grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour itself is not affected)
- Removed hostPort: 8002 from Envoy metrics in example manifests
- Tested against Kubernetes 1.32 through 1.34