RATATOSKRATATOSK
Sign in

CRI-O

v1.35.2Kubernetes Core
Apr 2, 2026

CRI-O v1.35.2 is a focused bug-fix patch addressing image pull credential verification, metrics reporting gaps, and OCI artifact store contamination issues.

  • breakingVerify credential provider workflows after upgrading

    The PullImage fix changes what gets returned during image pulls. If you use Kubernetes credential provider plugins or have automation that validates image pull behavior, test those flows before rolling this to production. The old behavior could silently bypass credential checks in edge cases.

  • enhancementAudit your metrics pipelines — you may have been missing data

    The metrics bug means any cluster running v1.35.x before this patch was likely returning incomplete metrics when 'all' was set. After upgrading, expect metric cardinality to increase. Check dashboards and alerting thresholds — a spike in metrics volume is expected and correct, not a problem.

  • enhancementUse additional_artifact_stores for air-gapped or mirrored artifact setups

    If you run air-gapped clusters or internal artifact mirrors, the new 'additional_artifact_stores' option lets you configure multiple read-only sources without hacking around existing config. Pair this with the pinned_images fix to ensure pinned artifacts are pulled from the right store consistently.

Key changes (5)

  • PullImage now returns the image ID directly, fixing Kubernetes credential verification compatibility
  • Metrics endpoint now returns all metrics when 'all' is configured — previously silently incomplete
  • Regular container images can no longer accidentally land in the OCI artifact store
  • pinned_images configuration now applies consistently to artifact store images, not just regular containers
  • New 'additional_artifact_stores' config option for adding read-only artifact store sources