RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Jul 2026Clear ×

Kyverno

SecurityJul 10, 2026

Kyverno v1.18.2 is a patch release fixing a HIGH security issue (GHSA-79gf-7frw-68m9) where generator policies could bypass namespace boundaries, plus backported security dependency updates, watcher restart fixes, and several CLI and policy improvements.

  • securityPatch namespace boundary bypass in generator policies

    Generator policies could bypass namespace boundaries when applying rules, allowing cross-namespace policy enforcement. Upgrade to v1.18.2 to restore proper isolation.

  • securityApply security dependency updates

    Security dependency updates have been backported to address known vulnerabilities in transitive dependencies.

Key changes (7)
  • HIGH: Namespace boundary enforcement in generator policies patched (GHSA-79gf-7frw-68m9)
  • Security dependency updates backported
  • Background reporting now restarts dynamic watchers correctly on 410 Gone responses
  • Required validation policies no longer abort on image mismatches
  • CLI now accepts multiple CRDs in a single --crd-path file
  • pss-helm policy chart adds 'image' to allowed volume types
  • Report label prefixes corrected for multi/delegated policies
Source

SPIRE

SecurityJul 9, 2026

SPIRE v1.15.2 is a mixed release addressing security concerns through docker/docker to moby/moby migration (resolving CVEs) and a HIGH-severity delegated identity API restriction preventing JWT-SVID exposure for admin or downstream entries. The release also introduces the SPIFFE Broker, per-caller rate limiting, TLS metrics endpoint support, and numerous performance and compatibility improvements across multiple attestors and plugins.

  • securityResolve docker/docker CVEs via moby/moby migration

    docker/docker dependencies have been migrated to moby/moby equivalents to resolve Docker/Moby CVEs. Upgrade to v1.15.2.

  • breakingDelegated API no longer serves JWT-SVIDs for admin/downstream entries

    The delegated identity API no longer serves JWT-SVIDs for admin or downstream entries. If you use the delegated identity API with admin or downstream entries, verify that clients no longer depend on JWT-SVID tokens from those entry types.

Key changes (7)
  • Security: docker/docker migrated to moby/moby to resolve CVEs
  • Security: Delegated identity API restricted—no longer serves JWT-SVIDs for admin or downstream entries
  • Enhancement: Per-caller rate limiting for agent Workload API and Envoy SDS
  • Enhancement: TLS support for Prometheus metrics endpoint with optional SPIFFE ID allowlist
  • Enhancement: SPIFFE Broker endpoint and API introduced
  • Performance: Attested nodes now fetched in bulk; optimized MySQL list entries query for reduced database load
  • Plus 16 additional features, fixes, and improvements: post-quantum cryptography curves, aws_kms tag-based discovery, azure_imds fixes, CA journal durability, structured logging, Windows SE_DEBUG_PRIVILEGE support, and more
Source

cert-manager

SecurityJul 8, 2026

cert-manager v1.21.0 is a mixed release: it ships a security-hardening RBAC restriction (GHSA-8rvj-mm4h-c258) plus two other breaking Helm/RBAC changes, alongside new ARI, Vault AWS-IAM, and Gateway API capabilities and several bug fixes. Operators should review Helm values and RBAC assumptions before upgrading.

  • securityReview cert-manager-edit permissions after Challenge/Order create rights removed

    cert-manager-edit no longer grants create on Challenge resources or create/patch/update on Order resources, closing a path where a user with edit access could tamper with ACME validation flow. Fixed upstream in v1.20.3 and carried into v1.21.0; upgrade if your tooling or users create Challenge/Order resources directly, since those workflows will need the cert-manager-approve or a custom role instead.

  • breakingDefault tokenrequest RBAC for the controller ServiceAccount removed

    The Helm chart no longer creates the default Role/RoleBinding granting serviceaccounts/token: create to the controller's own ServiceAccount. This only affects clusters relying on the undocumented pattern of serviceAccountRef.name pointing at the controller's ServiceAccount; those setups need an explicit RBAC grant added post-upgrade.

  • breakingRemove deprecated Prometheus Helm values before upgrading

    prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path are gone from the Helm values schema (the ServiceMonitor port was also renamed from tcp-prometheus-servicemonitor to http-metrics). Any values override still setting these keys will fail Helm's schema validation on upgrade; scrub them from your values files first.

Key changes (8)
  • Security: cert-manager-edit ClusterRole restricted, removing Challenge/Order create-patch-update rights (GHSA-8rvj-mm4h-c258, fixed since v1.20.3)
  • Breaking: default RBAC for controller ServiceAccount tokenrequest creation removed from the Helm chart
  • Breaking: legacy Prometheus Helm values (servicemonitor.targetPort/path, podmonitor.path) removed; ServiceMonitor port renamed to http-metrics
  • Deprecated: enableGatewayAPI/enableGatewayAPIListenerSet in favor of gatewayAPI.enabled/enableListenerSet; cainjector's ServerSideApply feature gate also deprecated (old fields still work)
  • New features: experimental ACME Renewal Information (ARI) support, Vault AWS IAM auth (IRSA/EKS Pod Identity), Certificate renewalPolicies field, and a FIPS 140-3 compatible Modern2026 PKCS#12 profile
  • Gateway API additions: http01-parentreffallback annotation for TLS-only ListenerSets and ignore-tls-listeners annotation
  • Notable bug fixes: renewBeforePercentage integer overflow for long-duration certs, infinite re-issuance loop on expired issuer certs, ACME challenges now retry transient network errors instead of failing terminally
  • Plus roughly a dozen smaller items: DoH response size cap, Vault path traversal validation, DNS secret pre-validation, cainjector --ignore-namespaces, startupapicheck cleanup TTL, Debian 13 base images
Source

Open Policy Agent (OPA)

SecurityJul 2, 2026

OPA v1.18.2 is a routine patch that restores the original newline-preservation behavior in `opa fmt`. Policies that were already correctly formatted will no longer be rewritten when the formatter runs.

Key changes (1)
  • Fixes a regression in `opa fmt` (introduced in v1.18.0) where single-item collections (arrays, objects, sets) were always expanded onto multiple lines regardless of the source formatting, causing spurious diffs on already-formatted policies
Source
Browse by month