RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Mar 2026Clear ×

etcd

Kubernetes CoreMar 20, 2026

etcd v3.6.9 is a maintenance release. The release notes are sparse — check the full CHANGELOG for the actual diff before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.6.9 contain no change details. Before upgrading any etcd cluster, pull up CHANGELOG-3.6.md directly and diff the entries since your current version. The 3.6 series has known breaking changes, and skipping this step on a stateful system like etcd is a real risk.

  • enhancementVerify container image source if you pull from quay.io

    etcd's primary registry is gcr.io/etcd-development/etcd. If your pipelines pull from quay.io/coreos/etcd, confirm that image is current and matches the gcr.io digest. Secondary registries can lag. Pin by digest, not just tag, to avoid silent version mismatches.

Key changes (4)
  • Release notes do not enumerate specific changes; full details are in the CHANGELOG-3.6.md
  • Upgrade guide should be reviewed prior to upgrading due to potential breaking changes in the 3.6 series
  • Primary container image available via gcr.io/etcd-development/etcd; quay.io/coreos/etcd remains the secondary registry
  • Supported platform matrix may have been updated — verify your architecture/OS combo before deploying
Source

etcd

Kubernetes CoreMar 20, 2026

etcd v3.5.28 is a patch release in the 3.5 series. Release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.5.28 contain no actual change details. Before upgrading any etcd cluster, pull the full CHANGELOG-3.5.md from the etcd repo and review entries since your current version. Skipping this on a stateful system like etcd is a real risk.

  • enhancementStick to the primary container registry for pulls

    gcr.io/etcd-development/etcd is the authoritative image source. quay.io/coreos/etcd is secondary and may lag. If your cluster pulls from quay.io, verify the image digest matches the primary before deploying in production.

Key changes (4)
  • Patch release in the 3.5 stable series
  • Full change details available only in the CHANGELOG-3.5.md, not surfaced in the release notes directly
  • Container images available via gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before deploying — breaking changes may be present
Source

etcd

Kubernetes CoreMar 20, 2026

etcd v3.4.42 is a maintenance release on the 3.4 branch. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingCheck the upgrade guide even for patch releases

    The release explicitly calls out that breaking changes may exist. On a 3.4.x patch bump this is unlikely but not impossible — particularly around snapshot or WAL handling. Verify the upgrade guide is clean for your version before rolling out to production clusters.

  • enhancementReview the full CHANGELOG before upgrading

    The release notes published here are essentially empty. Before applying this update to any environment, pull the CHANGELOG-3.4.md directly from the etcd repo to understand what bug fixes or patches are included. Blind upgrades on a critical consensus store are a bad idea.

Key changes (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md
  • Upgrade guide should be reviewed for any breaking changes before applying
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.35.3 is a small patch with two kubeadm bug fixes and one DRA eviction status reporting cleanup. Low risk, safe to apply.

  • enhancementUpgrade kubeadm-managed clusters to fix etcd learner endpoint bug

    The etcd learner member fix is the most operationally relevant change here. If you use kubeadm and have experienced etcd client connectivity issues during node join/promotion operations, this patch addresses the root cause. Schedule an upgrade during your next maintenance window — no config changes required, just a kubeadm binary update.

  • enhancementkubeadm reset is more reliable on systems with peer mounts

    If your node reset automation was failing on environments where /var/lib/kubelet has peer mounts (common in certain container runtimes or nested mount configurations), this fix prevents those EINVAL errors from blocking the reset process. Worth upgrading if you've seen unexplained reset failures.

Key changes (3)
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding spurious failures on reset
  • DRA device taint eviction controller fixes a misleading status message that double-counted pod evictions in intermediate states
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.34.6 is a minimal patch fixing two kubeadm bugs: etcd learner endpoints and a kubelet unmount error during cluster reset.

  • enhancementUpgrade if you run kubeadm-managed clusters with etcd membership changes

    The etcd learner fix matters any time you add etcd members — a learner node (not yet a voting member) being included in client endpoints could cause request failures during the promotion window. If you've seen intermittent etcd client errors during node additions, this patch resolves it. Otherwise, apply at your normal patch cadence.

  • enhancementUpgrade if kubeadm reset fails on your nodes

    The EINVAL unmount fix addresses a real pain point: kubeadm reset aborting mid-way when certain bind mounts under /var/lib/kubelet can't be cleanly unmounted. This tends to show up on nodes with overlapping mount namespaces or specific filesystem setups. If you've had to manually clean up after a failed reset, this patch removes that friction.

Key changes (3)
  • kubeadm no longer adds etcd learner members to client endpoint lists, preventing potential routing errors during etcd membership changes
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, fixing failures on certain kernel/filesystem configurations
  • No dependency changes — this is a pure bug fix release
Source

Kubernetes

Kubernetes CoreMar 19, 2026

v1.33.10 is a small patch fixing a kube-controller-manager nil pointer crash in ValidatingAdmissionPolicy and two kubeadm operational bugs. No dependency changes.

  • breakingPatch immediately if you use ValidatingAdmissionPolicy with open schemas

    Any ValidatingAdmissionPolicy referencing an object schema with `additionalProperties: true` will crash kube-controller-manager outright — not degrade gracefully. If you're running v1.33.x and using VAP, check your policies now. Upgrade to v1.33.10 before deploying any new policies with open schemas, or you risk taking down the controller manager.

  • enhancementkubeadm etcd learner fix matters for HA cluster joins

    When adding control plane nodes, etcd temporarily registers new members as learners. The previous behavior incorrectly included learner endpoints in the etcd client pool, which could cause client errors during promotion. If you run kubeadm-managed HA clusters and have experienced intermittent etcd client failures during control plane joins, this patch resolves it. Upgrade before your next control plane scaling operation.

  • enhancementkubeadm reset now handles stubborn bind mounts cleanly

    On nodes with bind-mounted /var/lib/kubelet directories, `kubeadm reset` previously failed with EINVAL during unmount, leaving cleanup incomplete. The fix silently ignores EINVAL — which is expected for peer mounts — so resets complete cleanly. Useful if you automate node decommissioning with kubeadm reset in scripts.

Key changes (3)
  • ValidatingAdmissionPolicy: schemas with `additionalProperties: true` no longer crash kube-controller-manager with a nil pointer exception
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now gracefully handles EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding false failures
Source

Lima

Kubernetes CoreMar 17, 2026

Lima v2.1.0 adds experimental macOS and FreeBSD guest support, renames the guest home directory path, and consolidates disk files — a release with real migration considerations alongside useful new features.

  • breakingDisk file consolidation means no downgrade path

    Once an instance runs under Lima v2.1, its disk format is incompatible with v2.0 and v1.x. Snapshot or back up critical VM instances before upgrading. If you manage shared Lima environments or CI pipelines that pin Lima versions, ensure all consumers upgrade together — you can't roll back individual instances.

  • breakingHardcoded paths to `/home/${USER}.linux` will break

    The guest home directory is now `/home/${USER}.guest`. A symlink covers the old path, so most things will keep working. However, any scripts, dotfiles, or tooling that hardcodes the `.linux` suffix — particularly in non-symlink-aware contexts like bind mounts or container volume paths — should be audited and updated.

  • enhancementUse `limactl shell --sync` for AI agent workflows

    If you're running AI coding agents (e.g., Claude Code, Aider) inside Lima shells, `--sync` prevents the agent from accidentally modifying host files by syncing the working directory into the guest context. Adopt this flag in any automation or agent harness that launches `limactl shell` — it's a low-friction safety net.

  • enhancementk3s template now supports multi-node clusters

    The built-in `k3s` template can now spin up multi-node clusters, which makes local Kubernetes testing significantly more realistic. If you've been working around this limitation with custom configs or alternative tools like Rancher Desktop, it's worth re-evaluating the native template.

Key changes (6)
  • Experimental macOS and FreeBSD guest support via new templates (`template:macos`, `template:freebsd`)
  • Guest home directory renamed from `/home/${USER}.linux` to `/home/${USER}.guest`; old path symlinked for compatibility
  • `basedisk` + `diffdisk` consolidated into a single `disk` file — instances from v2.0/v1.x boot fine in v2.1, but not the reverse
  • New `limactl shell --sync` flag to isolate AI agent shell sessions from host filesystem
  • Host-to-guest time synchronization added in the hostagent; guestagent binary shrunk from 14MB to 6.1MB
  • QEMU is now the default hypervisor for non-native architectures
Source

Helm

Kubernetes CoreMar 12, 2026

Helm v3.20.1 fixes two critical bugs affecting chart value handling and OCI registry operations that could cause deployment failures.

  • enhancementUpgrade immediately for value handling fixes

    This patch resolves two bugs that could break chart deployments. The nil value preservation fix prevents unexpected behavior when overriding chart defaults, while the OCI tag+digest fix enables proper chart pulling from registries using both identifiers. Test your existing charts after upgrading to ensure value overrides work as expected.

  • enhancementVerify OCI chart references work properly

    If you use OCI registries with tag+digest references (like `registry/chart:v1.0@sha256:abc123`), this release fixes previous 'invalid byte' errors. Update your CI/CD pipelines to use this version before relying on tag+digest combinations for chart immutability.

Key changes (4)
  • Fixed nil value preservation bug when charts have empty maps or no defaults for keys
  • Resolved OCI reference failures with tag+digest causing 'invalid byte' errors
  • Updated Kubernetes dependencies to latest versions
  • Added support for pulling charts from OCI indices
Source

Helm

Kubernetes CoreMar 11, 2026

Helm v4.1.3 patches multiple critical bugs affecting OCI registries, dry-run operations, and value handling that were causing deployments to fail or behave unpredictably in production environments.

  • breakingUpdate OCI registry workflows immediately

    If you use OCI registries that store both container images and Helm charts under the same tag, upgrade now. The previous bug caused complete pull failures. Test your chart pulls after upgrading to ensure compatibility with your registry setup.

  • enhancementReview autoscaling upgrade timeouts

    Upgrades now properly wait for cluster autoscalers and rolling updates instead of failing prematurely. Review your deployment pipelines and consider reducing any artificial delays you added to work around this issue. Monitor initial upgrades closely to verify improved behavior.

  • enhancementValidate dry-run operations with generateName

    Server-side dry-run now correctly handles generateName fields. If you've been avoiding dry-run validation for resources using generateName, re-enable it in your CI/CD pipelines. This improves pre-deployment validation coverage.

Key changes (5)
  • Fixed dry-run server mode not respecting generateName, causing validation issues
  • Resolved OCI registry failures when pulling charts from mixed container/chart repositories
  • Fixed nil value preservation preventing proper chart defaults overrides
  • Corrected FailedStatus handling that caused premature upgrade failures during autoscaling
  • Eliminated YAML corruption from template whitespace trimming after post-rendering
Source

containerd

Kubernetes CoreMar 10, 2026

containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

Key changes (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
Source

CoreDNS

Kubernetes CoreMar 6, 2026

CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

Key changes (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

Key changes (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.

  • breakingTest systemd workloads with user namespaces

    A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.

  • enhancementConfigure TLS settings for production security

    New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.

  • enhancementVerify runc v1.4.0 compatibility

    The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.

Key changes (5)
  • Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
  • Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
  • Improved OCI artifact pull fallback logic to skip retries on retryable errors
  • Updated runc to v1.4.0 and multiple dependency versions for stability
  • Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.34.6 is a maintenance release with no functional changes, dependencies, or fixes - purely a version bump from v1.34.5.

  • enhancementSkip this release unless forced by policy

    This release contains zero functional changes. Stay on v1.34.5 unless your organization requires running the latest patch version for compliance reasons. Save the upgrade effort for a release that brings actual improvements.

Key changes (4)
  • No code changes between v1.34.5 and v1.34.6
  • No dependency updates or removals
  • Release artifacts available for amd64, arm64, ppc64le, and s390x architectures
  • SBOM and signature verification support maintained
Source
Browse by month