RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Last 7 daysClear ×

Cilium

Networking & MessagingJul 16, 2026

Cilium v1.19.6 is a routine patch fixing multiple regressions in ClusterMesh affinity handling and host firewall configuration, along with policy and gateway-api issues. A minor gateway-api telemetry feature and dependency updates are included.

  • breakingClusterMesh affinity annotation traffic blackhole fixed

    When using the service.cilium.io/affinity: "none" annotation in ClusterMesh, all remote backends were incorrectly dropped if no local endpoints exist, causing a traffic blackhole. The fix ships in v1.19.6 and matters if ClusterMesh services rely on this annotation to manage traffic distribution across clusters.

  • breakingHost firewall disabled-state configuration sync fixed

    Disabling hostFirewall.enabled via Helm (toggling from true to false) left the host firewall in the live ConfigMap in enabled state, causing the firewall rules to remain active despite the configuration change. The fix ships in v1.19.6 and applies when toggling the host firewall setting.

Key changes (6)
  • ClusterMesh traffic blackhole when using service.cilium.io/affinity: "none" with no local endpoints fixed
  • Host firewall remained enabled in live ConfigMap after Helm disablement fixed
  • Policy denial regressions for L7 load-balanced services and pod network policy restoration during agent restart addressed
  • Stale hostport entries and gateway-api port listener assignment bugs corrected
  • Gateway-api adds configurable access logs via spec.telemetry.accessLogs in CiliumGatewayClassConfig
  • cilium/ebpf upgraded to v0.22.0; statedb bumped to v0.5.9
Source

Istio

Networking & MessagingJul 16, 2026

Istio v1.29.6 is a routine patch addressing ambient mesh bugs in pilot-agent drain counting, ztunnel CNI deadlock, Istiod memory accumulation, and east-west gateway RBAC filtering. Auto-registered WorkloadEntry resources gain HBONE capability, though existing entries require the networking.istio.io/tunnel=http label to activate encrypted tunneling.

  • breakingAuto-registered WorkloadEntry resources require label addition for HBONE tunneling

    WorkloadEntry resources created through auto-registration before upgrading to v1.29.6 continue to use plaintext tunneling until they re-register or the networking.istio.io/tunnel=http label is manually added to their existing WorkloadEntry. This is a transitional state affecting ambient mesh deployments that do not rebuild their auto-registered workload entries.

Key changes (5)
  • Fixed pilot-agent drain logic on ambient ingress gateways and waypoints to correctly count HBONE connections, eliminating unnecessary waits on graceful termination
  • Fixed ambient CNI agent deadlock where concurrent pod deletions and ztunnel reconnections could block the ZDS server
  • Fixed Istiod memory leak where failed pod IP entries were not cleaned up from resync state
  • Fixed east-west gateway RBAC filtering incorrectly blocking cross-network traffic when L7 AuthorizationPolicies are present
  • Auto-registered WorkloadEntry resources now support HBONE tunneling, with label-based opt-in for existing entries
Source

Istio

Networking & MessagingJul 16, 2026

Istio 1.30.3 is a routine patch focused on bug fixes and scalability improvements for ambient mode. No CVEs. One operator-visible change: auto-registered workloads in ambient mode fall back to plaintext HBONE until re-registered or explicitly labeled; deployments relying on HBONE encryption for such workloads may need to take action.

  • breakingPlaintext HBONE fallback for pre-registered workloads in ambient mode

    Workloads auto-registered with Istio before upgrading to 1.30.3 continue to be reached over plaintext HBONE until they either re-register or the operator adds the networking.istio.io/tunnel=http label to their existing WorkloadEntry resource. This applies in ambient mode when workloads were registered prior to this release.

Key changes (8)
  • Behavior change: auto-registered workloads in ambient mode fall back to plaintext HBONE until re-registered or labeled with networking.istio.io/tunnel=http
  • Performance: XDS pushes for workload/service address changes scoped to affected waypoints only (can disable via AMBIENT_SCOPED_ADDRESS_PUSHES=false)
  • Fix: metadata-only VirtualService changes no longer trigger unnecessary XDS pushes to all proxies
  • Fix: pilot-agent now reloads certificates on Kubernetes secret rotations after the first rotation
  • Fix: remote cluster secrets picked up by istiod without restart, preventing cluster registry deadlock
  • Fix: waypoint proxies exit gracefully on ambient ingress gateways (EXIT_ON_ZERO_ACTIVE_CONNECTIONS now fires correctly)
  • Enhancement: custom taint name support for pilot node untaint controller via PILOT_NODE_UNTAINT_CONTROLLERS_TAINT_NAME
  • Plus ~6 additional fixes: ambient CNI deadlock, istiod memory leak, WasmPlugin cross-namespace crash-loop, cross-network RBAC blocking, Telemetry namespace scope, default HTTP retries for waypoint inbound routes
Source

KubeEdge

Provisioning & RuntimeJul 15, 2026

KubeEdge v1.23.1 is a minor patch with one operator-facing breaking change: device status is now read from a new DeviceStatus CRD rather than the Device CRD status field. The release also adds Windows support, device anomaly detection, optimizes edge-to-cloud queries, and refactors the database backend to GORM.

  • breakingDevice status moved to DeviceStatus CRD

    Device status is now stored in a separate DeviceStatus CRD instead of in the Device CRD's status field. Code that reads device status must be updated to query the DeviceStatus CRD. Backward compatibility with older CRD versions is maintained, but the status field in Device is no longer the source of truth.

Key changes (7)
  • Device CRD restructured: status now lives in separate DeviceStatus CRD; queries must read from the new resource
  • Windows support added to EdgeCore and Keadm: named pipes, version mismatch detection, service log redirection
  • Device anomaly detection framework introduced via Device CRD pushMethod configuration
  • Edge node queries optimized to use local database instead of CloudCore remote calls
  • Edge database backend refactored from Beego ORM to GORM
  • Kubernetes dependency updated to v1.32.10
  • Dashboard v0.2.0: Backend-for-Frontend layer, Chinese language support, UI improvements
Source

KubeEdge

Provisioning & RuntimeJul 15, 2026

KubeEdge v1.21.2 is a feature release combining v1.21.1 fixes with new capabilities: v1alpha2 node job APIs now default (v1alpha1 deprecated), ConfigUpdateJob CRD for cloud-driven config updates, and closed-loop flow control for node groups. Operators must prepare for four breaking changes: node jobs are disabled by default in EdgeCore, keadm upgrade no longer auto-backs up, v1alpha1 node job APIs are unmaintained, and keadm upgrade business flags are hidden.

  • breakingNodeUpgradeJob/ImagePrePullJob default to v1alpha2; v1alpha1 deprecated

    v1alpha2 is now the default for NodeUpgradeJob and ImagePrePullJob. The v1alpha1 versions remain supported with backward-compatible CRDs but will be unmaintained starting now and removed after v1.23. To continue using v1alpha1, set the feature gates in ControllerManager and CloudCore.

  • breakingNode job module disabled by default in EdgeCore

    The node job Beehive module in EdgeCore is now disabled by default. Existing deployments relying on NodeUpgradeJob or ImagePrePullJob must enable the module in edgecore.yaml or node jobs will not run.

  • breakingkeadm upgrade no longer backs up automatically

    The keadm upgrade command no longer automatically backs up the cluster state. Manual backup via the separate backup command is now required before upgrades.

  • breakingkeadm upgrade business-related flags deprecated

    Flags related to business logic in the keadm upgrade command are hidden and will be removed after v1.23. Any workflows depending on these flags must be refactored.

Key changes (8)
  • v1alpha2 NodeUpgradeJob/ImagePrePullJob now default, v1alpha1 deprecated; opt-out via ControllerManager/CloudCore feature gates; removal after v1.23
  • Node job Beehive module disabled by default in EdgeCore; requires edgecore.yaml to enable
  • keadm upgrade no longer auto-backs up; manual backup command needed before upgrades
  • Node Task API v1alpha2 redesigned with Phase field (Init/InProgress/Completed/Failure) and nodeStatus subfields for improved error tracking
  • ConfigUpdateJob CRD added for cloud-driven EdgeCore config updates; disabled by default, requires TaskManager enable and EdgeCore restart to apply
  • Closed-loop flow control added for node groups, restricting cross-group service access
  • Dashboard enhanced with BFF layer and keink one-click cluster launch
  • Fixed: NodeUpgradeJob runner registration, policyManager reconciliation, Lease parsing, keadm reset edge container removal, mapper-framework data push
Source

Envoy

Networking & MessagingJul 14, 2026

Envoy v1.39.0 is a major release combining several breaking behavior changes (mandatory keyUsage enforcement, disabled DLB balancer, stricter TLS inspector validation, changed OTel sampling behavior) with a large batch of roughly 20 medium-severity CVE fixes spanning HTTP/2, HTTP/3, ext_authz, ext_proc, OAuth2, DNS, and several other subsystems. It also ships extensive non-actionable feature and performance work, including dynamic-modules extension points and a new streaming JSON parser for AI protocols.

  • securityBroad CVE batch fixed across core protocol and extension code

    This release fixes roughly 20 CVEs across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression, all rated medium by the notes. Notable ones include HTTP/2 cookie-based header-limit bypass (CVE-2026-47774), HTTP/3 QPACK blocked-decoding DoS (GHSA-p7c7-7c47-pwch), and Zstd decompression memory exhaustion (CVE-2026-48044). The fixes ship in v1.39.0.

  • securityOAuth2 cookie encryption moves to AES-256-GCM (opt-in migration)

    OAuth2 adds AES-256-GCM cookie encryption to address CVE-2026-47775, replacing the older CBC-based scheme. Migration is opt-in: enable oauth2_use_gcm_encryption, monitor the oauth_legacy_cbc_decrypt metric, then disable oauth2_legacy_cbc_decrypt_compat once legacy decryption is no longer observed.

  • breakingCertificate keyUsage enforcement is now mandatory

    Envoy now always enforces the certificate keyUsage extension; the enforce_rsa_key_usage field is deprecated and ignored. This applies unconditionally starting in v1.39.0, so certificates that previously relied on lax enforcement may now fail validation.

  • breakingDLB connection balancer disabled in all builds

    The Intel DLB connection balancer (envoy.network.connection_balance.dlb) is disabled in all builds because of a broken source archive. This applies wherever that extension is configured.

  • breakingTLS inspector now rejects out-of-range client TLS versions

    The TLS inspector now validates that client TLS versions fall between 1.0 and 1.3, rejecting anything outside that range. The check is unconditional in v1.39.0 but can be reverted with envoy.reloadable_features.tls_inspector_enforce_client_tls_version.

  • breakingOTel tracing now defers to Envoy's own sampling decision

    The OpenTelemetry tracer now honors Envoy's own request-entry sampling decision, including overall_sampling, even when a propagated trace context or configured sampler requests sampling. This applies to deployments relying on downstream or context-based sampling overriding Envoy's local config, and may reduce the volume of exported spans.

Key changes (8)
  • Roughly 20 medium-severity CVE fixes across HTTP/2, HTTP/3, ext_authz, ext_proc, gRPC stats, internal redirects, OAuth2, DNS, JSON parsing, PROXY protocol, formatters, StatsD, TLS SAN handling, and Zstd decompression; notable ones include CVE-2026-47774 (HTTP/2 cookie header-limit bypass), GHSA-p7c7-7c47-pwch (HTTP/3 QPACK DoS), and CVE-2026-48044 (Zstd memory exhaustion)
  • OAuth2 gains AES-256-GCM cookie encryption (CVE-2026-47775) with an opt-in, staged migration path off legacy CBC decryption
  • Certificate keyUsage enforcement is now mandatory (enforce_rsa_key_usage deprecated); TLS inspector now rejects client TLS versions outside 1.0-1.3
  • Intel DLB connection balancer extension disabled in all builds due to a broken source archive
  • OpenTelemetry tracer now defers to Envoy's own sampling decision (including overall_sampling), which may reduce exported spans
  • Unified DNS cluster implementation is now the default, enabling shared c-ares resolvers and qcache across clusters
  • HeaderMatcher now matches separately supplied header values individually rather than only their comma-joined form (revertible via feature gate)
  • Large non-actionable batch: dynamic-modules extension points and Rust SDK, new Wuffs-based streaming JSON parser for MCP/A2A/OpenAI/Anthropic, new bandwidth-sharing and sub-filter-chain HTTP filters, CNSA/post-quantum TLS policies, io_uring and SO_REUSEPORT BPF performance work, plus numerous bugfixes (connection-pool re-entrancy, DNS resolver leaks, Golang filter re-entry)
Source

Backstage

CI/CD & App DeliveryJul 14, 2026

Backstage v1.53.0 is a feature release with seven breaking changes across auth, CLI, and API layers. The SSE MCP transport, proxy agent bootstrap, and OpenAPI testing CLI commands are removed; OAuth redirect validation is tightened to reject wildcards crossing host-path boundaries and embedded credentials; config-loader enforces strict type checking; and EntityContextMenuItemBlueprint changes output structure. Optic is replaced by oasdiff for OpenAPI tooling. Numerous bugfixes address TechDocs, Scaffolder, and catalog issues; new features include breadcrumbs framework, user settings storage, and extended auth/database options. No security fixes are included.

  • breakingSSE MCP transport removed

    The Server-Sent Events (SSE) transport for MCP actions has been removed from @backstage/plugin-mcp-actions-backend. If your deployment uses the SSE transport, switch to the Streamable HTTP endpoint or update your MCP configuration.

  • breakingStricter config-loader type validation

    Config-loader now validates imported types in TypeScript configuration schemas instead of treating them as unconstrained. Invalid imports will cause schema loading to fail. Review your configuration schemas for unresolved or missing type imports.

  • breakingTighter OAuth redirect URI and CIMD allowlist matching

    Wildcard patterns in OAuth redirect URIs are now constrained: patterns must include an explicit protocol, wildcards no longer match across host and path boundaries, and embedded credentials are always rejected. Patterns like http://localhost:* now match only the root path; use http://localhost:*/* to allow any path. Update your auth configuration to match this stricter syntax.

  • breakingEntityContextMenuItemBlueprint output type change

    The EntityContextMenuItemBlueprint API now outputs menu item data instead of a rendered MUI element; the icon type is now IconElement. Update any code that depends on the catalog entity context menu to use the new data structure.

  • breakingLegacy proxy agent bootstrap removed

    The bootstrapEnvProxyAgents export has been removed from @backstage/cli-common, along with global-agent and undici dependencies. If you rely on this export, use Node's native NODE_USE_ENV_PROXY environment variable instead.

  • breakingOpenAPI CLI commands and wrapInOpenApiTestServer removed

    The package schema openapi init and repo schema openapi test CLI commands have been removed. Runtime OpenAPI validation is still available via wrapServer from @backstage/backend-openapi-utils/testUtils. The wrapInOpenApiTestServer function has also been removed; use wrapServer instead.

  • breakingOpenAPI tooling switched from Optic to oasdiff

    Optic (@useoptic/optic and @useoptic/openapi-utilities) has been replaced with oasdiff in @backstage/repo-tools for OpenAPI breaking change detection. Update any tooling or CI/CD pipelines that reference Optic.

Key changes (10)
  • SSE MCP transport removed from @backstage/plugin-mcp-actions-backend; use Streamable HTTP endpoint
  • Config-loader now enforces strict type validation; invalid imports cause schema load failure
  • OAuth redirect URI validation tightened: explicit protocol required, credentials rejected, wildcards constrained (http://localhost:* matches root only; use http://localhost:*/* for any path)
  • EntityContextMenuItemBlueprint changed to output data instead of MUI elements (icon is now IconElement)
  • bootstrapEnvProxyAgents removed from @backstage/cli-common; use NODE_USE_ENV_PROXY instead
  • OpenAPI CLI commands (package schema openapi init, repo schema openapi test) and wrapInOpenApiTestServer removed; use wrapServer
  • Optic replaced with oasdiff for OpenAPI breaking change detection in @backstage/repo-tools
  • Catalog entity page migration to BUI and entity header extension deprecation in progress
  • Fixes for TechDocs metadata loop, DatabaseTaskStore string cast, Bitbucket pickers, catalog export crashes, EntityTypePicker regression, scheduled task registration, React key warnings, Kubernetes schema inclusion, yeoman-environment v4 compatibility, and TechDocs blank page rendering
  • Enhancements: breadcrumbs framework, TextAreaField UI component, react-aria-components re-export, user settings plugin, multi-config BACKSTAGE_ENV stacking, Azure DevOps webhooks, CIMD token revocation, Redis connection options, S3 PrivateLink, Auth0 prompt parameters, embedded postgres flags, extension predicate action attributes
Source
Browse by month