RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: RookClear ×

Rook

Storage & DataYesterdayJul 7, 2026

Rook v1.20.2 is a routine patch that tightens mgr network policy to ingress-only and bumps Ceph to v20.2.2 and ceph-csi-operator to v1.0.4, alongside several bug fixes and minor enhancements. No CVEs or breaking API changes are included.

  • securitymgr NetworkPolicy tightened to ingress-only

    The mgr NetworkPolicy is now restricted to ingress-only traffic. If you have custom NetworkPolicy rules that rely on mgr egress paths being open by default, review and adjust your network policies after upgrading to v1.20.2.

  • enhancementCeph bumped to v20.2.2, ceph-csi-operator to v1.0.4

    The default Ceph image is updated to v20.2.2 and ceph-csi-operator to v1.0.4. Test these versions in staging if your deployment pins Ceph or CSI operator images explicitly.

Key changes (7)
  • mgr NetworkPolicy restricted to ingress-only, closing previously open egress paths (medium severity)
  • Ceph default version updated to v20.2.2
  • ceph-csi-operator updated to v1.0.4
  • Node watcher now triggers reconciliation on label or annotation changes, improving dynamic node handling
  • VolumeAttachment resources are correctly removed during unmount in external clusters, preventing stale state
  • Mon reschedule floating time reduced for faster failover; node watcher skipped during initial cache sync to suppress spurious reconcile loops at startup
  • Smaller fixes: OSD raw-activate path no longer scans rbd devices incorrectly, config overrides now end with a trailing newline, object store realm access keys generated as URL-safe strings; new API for muting Ceph warnings added
Source

Rook

Storage & DataJun 16, 2026

Rook v1.20.1 is a patch release focused on Ceph operator stability: Ceph CSI driver compatibility, OSD major-version handling, and CSI-addons disabled by default to reduce unexpected behavior.

  • breakingCSI-addons disabled by default — check cluster dependencies

    CSI-addons (snapshot, clone, and expansion features) are now disabled by default in v1.20.1. If your workloads rely on these features, you must explicitly enable them in the Ceph cluster spec or your RWX volume snapshots and clones will fail. Review helm values and operator configs to enable addons before upgrade if needed.

  • enhancementUse node labels for OSD device class assignment instead of manual mapping

    Instead of hardcoding device class assignment per node, you can now use Kubernetes node labels (like `disk-type: ssd`) to automatically classify OSDs. This simplifies scaling clusters with mixed hardware. Apply node labels, then reference them in the Ceph cluster spec to avoid per-node configuration drift.

  • enhancementOSD require-osd-release is now enforced after major Ceph upgrades

    After a major Ceph version upgrade (e.g., Quincy to Reef), Rook now sets `require-osd-release` automatically to prevent old OSDs from rejoining before the cluster is ready. Before upgrade, ensure all OSDs can be updated together; if you have pinned some OSDs to an older version, they will be blocked from joining until unpinned.

Key changes (5)
  • Helm chart now includes Rook-compatible Ceph CSI driver values for easier integration
  • OSD require-osd-release is enforced after Ceph major upgrades to prevent version mismatch issues
  • CSI-addons disabled by default to prevent unintended feature activation
  • Node labels can now be used for OSD device class assignment, replacing manual configuration
  • Stale MDS and RGW pod disruption budgets are cleaned up automatically to avoid blocking cluster operations
Source

Rook

Storage & DataJun 16, 2026

Rook v1.19.7 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Rook

Storage & DataJun 2, 2026

Rook v1.20 hands CSI driver management to the Ceph CSI operator — a breaking change for anyone with custom CSI config — while adding encrypted OSD resize, Vault Agent SSE-S3, and stabilizing concurrent cluster reconciliation.

  • breakingMigrate CSI config to Ceph-CSI operator before customizing anything

    Existing clusters will survive the upgrade with previously applied CSI settings, but any future CSI changes must go through the Ceph-CSI OperatorConfig and Driver CRs — not the Rook configmap. Helm users need the ceph-csi-drivers chart for operator settings (custom images stay in rook-ceph chart values). Audit your current CSI customizations now and plan the migration path before upgrading. Don't wait until you need to change a CSI setting post-upgrade to figure this out.

  • enhancementAudit CRUSH rules before upgrading if you rely on custom ones

    Rook now deletes unused CRUSH rules by default on mgr startup. If your environment has CRUSH rules that appear unused but are intentionally retained for failover or manual placement, set ROOK_DELETE_UNUSED_CRUSH_RULES=false in the operator config before upgrading. Losing custom CRUSH rules silently is the kind of thing that only hurts when you need them most.

  • enhancementEnable concurrent cluster reconciliation if running multiple Ceph clusters

    ROOK_RECONCILE_CONCURRENT_CLUSTERS is now marked stable after testing in prior releases. If you manage multiple CephCluster objects in one operator, enable this setting to reduce reconciliation bottlenecks. This is especially useful in multi-tenant or multi-cluster operator deployments where one slow cluster previously blocked others.

Key changes (5)
  • Breaking: CSI settings removed from Rook operator configmap and Helm chart; new installs must use Ceph-CSI OperatorConfig and Driver CRs
  • Encrypted host-based OSDs now auto-expand when the underlying disk is resized (encryptedDevice: true, non-PVC clusters)
  • SSE-S3 server-side encryption now supports HashiCorp Vault Agent authentication for CephObjectStore
  • Concurrent cluster reconciliation (ROOK_RECONCILE_CONCURRENT_CLUSTERS) is now stable
  • Unused CRUSH rules deleted by default after mgr starts; set ROOK_DELETE_UNUSED_CRUSH_RULES=false to opt out
Source

Rook

Storage & DataMay 27, 2026

Rook v1.19.6 is a targeted patch release addressing OSD device class handling, Prometheus metric labeling, and a network-layer dependency vulnerability. Mainly operational refinements for Ceph clusters already in production.

  • securityPatch golang.org/x/net vulnerability

    Rook v1.19.6 bumps golang.org/x/net twice (to fix govulncheck CI failures and address GO-2026-5026). If you run Rook in high-traffic environments or handle untrusted network input, review the golang.org/x/net advisory for the specific vulnerability. Upgrade to 1.19.6 to inherit the patched dependency, but do not delay if your Rook instance exposes networking logic to untrusted sources.

  • enhancementOSD device class detection fixed in raw-mode

    OSD device class handling now works correctly in raw-mode prepare and reconcile operations (#17407). If you use device classes to segregate fast (NVMe) from slow (HDD) storage, verify after upgrading that your OSD topology reflects the correct device classes. Check `ceph osd crush tree` and OSD weight distribution to ensure placement rules work as intended.

  • enhancementCluster label added to Prometheus metrics

    Prometheus scrape metrics now include a `cluster` label from upstream Ceph rules (#17544). If you aggregate Rook metrics across multiple Ceph clusters, this label addition improves metric cardinality and avoids collisions. Update any Prometheus rules, dashboards, or alerts that rely on the old label set; test in non-production first to catch any PromQL query breaks.

Key changes (8)
  • Prometheus rules updated with upstream Ceph changes; cluster label added to all scraped metrics
  • OSD device class now honored in raw-mode prepare and reconcile operations
  • golang.org/x/net patched to fix network-layer vulnerability (GO-2026-5026)
  • Self-signed certificate creation retry logic added for wrapped context deadline errors
  • Node existence checks added to monitor health check iterations
  • Default ResourceRequirements added for cmd-reporter pod
  • Encryption label detection improved for dmcrypt paths
  • DNS policy corrected for rook-ceph-exporter
Source

Rook

Storage & DataMay 27, 2026

Rook v1.18.11 patches liveness probe stability, OSD disk handling, and CSI priority class assignment. No major breaking changes, but one CSI component fix may shift pod scheduling.

  • breakingCSI priority class name correction

    CSI provisioner and plugin priority class names were swapped in earlier v1.18.x releases (PR #17361). If you've set custom CSI priority classes, check your PVCs and plugin pods after upgrade — the correct priority class will now apply to the right component, potentially changing scheduling behavior for storage workloads.

  • enhancementFix liveness probe script formatting

    Rook v1.18.11 removes newlines from liveness probe scripts (PR #17420). If your Ceph cluster's liveness probes are flaky or generating spurious restarts, upgrade immediately — the whitespace issue could be interfering with probe output parsing. No breaking changes, but the fix eliminates a source of operational noise.

  • enhancementDisk zapping for forced OSD installation

    The disk zapping feature for forced OSD installation (PR #17533) gives you explicit control over device reuse. If you're adding storage to existing nodes or recovering failed OSD slots, update to v1.18.11 and review your OSD discovery workflow — you can now force installation on previously used disks without manual intervention.

Key changes (5)
  • Disk zapping for forced OSD installation simplifies storage recovery
  • Liveness probe script newline fix reduces false pod restarts
  • CSI provisioner and plugin priority class names corrected
  • Go-jose library updated from 4.1.3 to 4.1.4
  • Out-of-date PgHealthyRegex documentation references fixed
Source

Rook

Storage & DataApr 28, 2026

Rook v1.19.5 patches several operator bugs including a CSI priority class swap, OSD CRUSH device class fix, and more reliable mon drain behavior.

  • breakingAudit CSI priority classes after upgrade — they were swapped

    The provisioner and plugin priority class names were assigned to the wrong CSI components. If you set custom values for these fields, verify that your workloads are getting the priority you intended post-upgrade. Clusters running latency-sensitive storage I/O with tiered priority classes are most at risk. Check the assigned priority classes on CSI pods after the upgrade and adjust your Helm values if needed.

  • enhancementUpgrade if you've hit silent CRUSH device class failures on OSD re-discovery

    When OSDs were re-discovered (e.g., after node replacement or OSD recreation), the CRUSH device class wasn't being reapplied. This caused OSDs to land in the wrong CRUSH bucket, potentially breaking data placement rules. If you use device classes (hdd/ssd/nvme) for pool or rule targeting, verify your OSD tree after upgrading to confirm correct class assignments.

  • enhancementSet ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS via Helm now

    Previously this required patching the operator deployment directly. With this release it's a first-class Helm value. If you've been working around this with post-install patches or custom operator manifests, clean those up and move the setting into your values file to avoid drift.

Key changes (5)
  • CSI: provisionerPriorityClassName and pluginPriorityClassName were swapped — clusters with custom priority classes have been running with incorrect assignments until now
  • OSD: CRUSH device class no longer silently ignored during OSD re-discovery, fixing placement policy enforcement
  • MON: drain prevention logic improved when monitors are already down, reducing split-brain risk during maintenance
  • Helm: ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS is now configurable via chart values instead of requiring manual operator env overrides
  • Security: rook-ceph-nvmeof service account granted proper SCC permissions; CSI resources now carry Helm ownership annotations
Source

Rook

Storage & DataApr 14, 2026

Rook v1.19.4 is a focused patch release fixing CephObjectStoreUser capabilities, adding multi-cluster RBAC fixes, and improving OSD disk handling with forceful zap support.

  • breakingMulti-cluster deployments: apply the RBAC fix immediately

    The missing ceph-mgr RBAC role in secondary clusters could cause silent permission failures that are hard to diagnose. If you're running Rook in a multi-cluster setup, upgrade to v1.19.4 and verify ceph-mgr is operating correctly post-upgrade. Don't wait on this one.

  • enhancementForceful OSD replacement is now cleaner with disk zap

    The new disk zap behavior during forceful OSD installation removes the manual cleanup step that previously caused headaches when replacing failed OSDs. If you've been scripting around this limitation, review your runbooks — the operator now handles it directly.

  • enhancementAdd labels to RGW services for better traffic routing

    CephObjectStore RGW services now accept custom labels, which opens up more precise service mesh, load balancer, and network policy targeting. Worth adopting if you're running multiple object stores or need finer-grained traffic control.

Key changes (5)
  • CephObjectStoreUser capabilities setting now works correctly after a bug fix
  • Missing RBAC role for ceph-mgr in secondary clusters has been patched — multi-cluster deployments were silently broken
  • OSD disk zap on forceful installation added, enabling cleaner OSD replacement workflows
  • CephObjectStore RGW service now supports custom labels for better service targeting
  • CSI operator bumped to v0.6.0 and COSI sidecar image updated to latest default
Source

Rook

Storage & DataMar 24, 2026

Rook v1.19.3 delivers targeted fixes and additions across CSI, pool management, OSD operations, and RGW — with a notable shift to ceph-csi-operator for CSI deployments.

  • breakingCSI now deploys via ceph-csi-operator — verify your deployment model

    The shift to ceph-csi-operator for deploying Ceph-CSI/NVMe-oF changes how CSI components are managed. If you have customized CSI sidecar configurations or rely on specific deployment behavior, audit your setup before upgrading. The ceph-csi-operator introduces its own CRDs and reconciliation loop, so any direct overrides you've applied to CSI DaemonSets or Deployments may be overwritten or ignored post-upgrade.

  • enhancementEncrypted OSD users: apply the lockbox key rotation fix now

    The lockbox key rotation bug for encrypted OSDs could leave your cluster in an inconsistent encryption state over time. If you're running encrypted OSDs, upgrade to v1.19.3 and verify key rotation is functioning correctly afterward. This is especially relevant if you've observed any anomalies during OSD replacement or key rotation workflows.

  • enhancementRGW on IPv6? The secret formatting fix is a must

    The incorrect IPv6 formatting in object store user secrets would cause connection failures in IPv6-only or dual-stack environments. If your RGW deployment uses IPv6 addressing, this fix directly unblocks proper user secret generation. After upgrading, recreate or reconcile affected object store users to pick up correctly formatted secrets.

Key changes (5)
  • CSI deployments now go through ceph-csi-operator instead of direct management; ceph-csi image updated to v3.16.2
  • Erasure-coded pool handling improved: cleanup on deletion, correct ready status after reconcile, and mirroring skipped for EC data pools
  • Ceph-exporter gains configurable port support and orphaned deployment cleanup on reconcile
  • OSD disk cleaning now checks devlinks, and lockbox key rotation for encrypted OSDs is fixed
  • RGW fixes: correct IPv6 secret formatting for object store users, shared pools zone JSON support, and zone/sharedPools reconcile ordering
Source

Rook

Storage & DataMar 24, 2026

Rook v1.18.10 patches several OSD reliability issues, tightens RBAC permissions, and adds minor operational improvements to the Ceph exporter and NFS server.

  • securityAudit your Rook RBAC after upgrading — nodes/proxy grant is gone

    The operator's nodes/proxy RBAC permission has been removed. If any custom tooling or monitoring in your environment relied on Rook's ServiceAccount having that grant, it will break silently after upgrade. Review any pipelines or dashboards that use the Rook operator ServiceAccount before rolling this out to production.

  • breakingEncrypted OSD users should test key rotation after upgrading

    The lockbox key rotation logic for encrypted OSDs was updated. Encrypted OSD clusters should run a non-production upgrade first and explicitly verify key rotation still works end-to-end. The CephX key init fix (no overwrite on failure) also changes behavior during error recovery — test any failure/retry scenarios you have documented.

  • enhancementUse the new CephNFS image fields to pin or customize NFS server images

    The new spec.server.image and spec.server.imagePullPolicy fields let you specify a custom NFS Ganesha image per CephNFS resource. This is useful if you need to pin a specific version for compliance or test a patched image without waiting for a Rook release. Update your CephNFS manifests if you currently work around this with other hacks.

Key changes (5)
  • Orphaned ceph-exporter deployments are now cleaned up automatically during reconcile
  • RBAC: nodes/proxy grants removed from the operator — reduces cluster-wide privilege footprint
  • Encrypted OSD lockbox key rotation logic updated — important for clusters using OSD encryption
  • CephX key init no longer overwrites an existing key on failure — prevents accidental key loss
  • CephNFS gains spec.server.image and spec.server.imagePullPolicy fields for custom NFS images
Source

Rook

Storage & DataFeb 24, 2026

Rook v1.19.2 is a patch release focusing on bug fixes and feature additions for the Ceph operator, including CSI image updates, OSD multipath fixes, and NVMeOF improvements.

  • enhancementUpdate CSI components for bug fixes

    The Ceph CSI update to 3.16.1 includes important fixes. Plan a maintenance window to update your Rook deployment to benefit from improved storage provisioning reliability and bug fixes.

  • enhancementReview multipath storage configurations

    If you're using multipath devices with metadata devices for OSDs, this release fixes deployment issues. Test the upgrade in a staging environment first, as OSD changes can be sensitive.

  • enhancementLeverage new ObjectStore user management

    The new OpMask field in ObjectStoreUserSpec allows more granular permission control for RADOS Gateway users. Review your current user configurations and consider implementing more restrictive permissions where appropriate.

Key changes (5)
  • Updated Ceph CSI image to version 3.16.1 for improved storage provisioning
  • Fixed OSD deployment issues on multipath devices with metadata devices
  • Added OpMask field to ObjectStoreUserSpec for better RADOS Gateway user management
  • Enhanced NVMeOF gateway with topology spread constraints and expansion field updates
  • Improved log collection capabilities for Ceph exporter pods
Source