RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Feb 2026Clear ×

Karmada

Orchestration & ManagementFeb 28, 2026

Karmada v1.16.3 is a bug-fix release addressing critical issues including controller race conditions, scheduler panics, and graceful eviction problems that could impact multi-cluster operations stability.

  • breakingUpgrade immediately to prevent scheduler crashes

    The scheduler panic fix for divide-by-zero errors is critical for production stability. Schedule maintenance window to upgrade karmada-scheduler component, especially if you use spread constraints across clusters with dynamic availability.

  • enhancementReview CronFederatedHPA configurations after upgrade

    The fix for CronFederatedHPA scale-up failures when replicas field is missing improves reliability. After upgrading, verify your CronFederatedHPA resources are scaling correctly from zero replicas, and consider adding explicit replicas fields to avoid edge cases.

  • enhancementMonitor graceful eviction behaviors post-upgrade

    The graceful eviction timing fix prevents GracePeriodSeconds leakage between tasks. After upgrade, monitor your workload evictions to ensure they complete within expected timeframes and adjust grace periods if needed for improved resource cleanup.

Key changes (5)
  • Fixed job status aggregator race condition causing error loops in controller manager
  • Resolved CronFederatedHPA scaling failures when replicas field is missing
  • Corrected graceful eviction task timing issues preventing proper resource cleanup
  • Fixed scheduler divide-by-zero panic when no valid clusters available for spread constraints
  • Improved backoff queue sorting to prevent priority inversion in scheduler operations
Source

Karmada

Orchestration & ManagementFeb 28, 2026

Karmada v1.15.6 is a critical bug-fix release addressing race conditions, scheduler panics, and CronFederatedHPA failures that could impact production stability.

  • securityBase image security update included

    Alpine base image updated to 3.23.3 which may include security patches. Review your container scanning results after upgrade and update any custom images based on Karmada components.

  • breakingCritical scheduler stability fixes require immediate update

    The scheduler panic fix and backoff queue corrections address critical stability issues that could cause service disruptions. Plan immediate upgrade for production environments running multi-cluster workloads with spread constraints or high scheduling volumes.

  • enhancementCronFederatedHPA reliability improvements

    If using CronFederatedHPA for autoscaling, this release fixes scale-up failures when replicas field is missing. Update to ensure consistent autoscaling behavior across your federated deployments.

Key changes (5)
  • Fixed job status aggregator race condition preventing error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Corrected graceful eviction task timing issues with GracePeriodSeconds
  • Fixed scheduler panic from divide-by-zero errors in spread constraints
  • Improved backoff queue sorting to prevent priority inversion issues
Source

Vitess

Storage & DataFeb 27, 2026

Security-focused release addressing two critical CVEs related to backup MANIFEST file vulnerabilities that could allow arbitrary command execution and path traversal attacks.

  • securityImmediate upgrade required for CVE-2026-27965 and CVE-2026-27969

    Two critical CVEs allow attackers with backup storage write access to execute arbitrary commands and perform path traversal attacks. Upgrade immediately to v22.0.4 and review backup storage access controls to ensure only trusted entities have write permissions.

  • securityAudit and secure backup storage access

    Since these vulnerabilities require write access to backup storage, review who has write permissions to your backup locations. Implement proper access controls and consider using immutable backup storage where possible to prevent tampering.

  • breakingUpdate VTTablet configuration if using MANIFEST-based decompressors

    External decompressor commands from MANIFEST files are ignored by default. If your restore process relies on this behavior, add the --external-decompressor-use-manifest flag to your VTTablet configuration, but understand this reintroduces security risks.

Key changes (4)
  • External decompressor commands from backup MANIFEST files are no longer used by default
  • Path traversal attacks via MANIFEST file modifications are now prevented
  • New --external-decompressor-use-manifest flag added for explicit opt-in to MANIFEST-based decompressor
  • 37 merged pull requests with security-focused improvements
Source

Vitess

Storage & DataFeb 27, 2026

Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

Key changes (5)
  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements
Source

Flux

CI/CD & App DeliveryFeb 24, 2026

Flux v2.8.0 introduces major GitOps capabilities including Helm v4 support, enhanced observability, faster recovery times, and improved notification features while removing deprecated APIs.

  • breakingMigrate from deprecated v1beta2/v2beta2 APIs immediately

    Deprecated APIs have been removed from CRDs. Follow the official upgrade procedure for Flux v2.7+ to migrate your resources to supported API versions before upgrading to v2.8.0.

  • enhancementEnable faster application recovery with new feature gate

    Activate the CancelHealthCheckOnNewRevision feature gate on your Kustomizations and HelmReleases to reduce recovery time during application failures by canceling health checks when new revisions are detected.

  • enhancementImplement automated PR notifications for GitOps workflows

    Configure Pull Request commenting in your notification providers to enable direct feedback from Flux deployments to development teams, improving visibility and collaboration in GitOps workflows.

Key changes (5)
  • Helm v4 support with server-side apply and improved health checking
  • Reduced mean time to recovery with CancelHealthCheckOnNewRevision feature gate
  • Pull Request commenting support in notification providers
  • Custom SSA apply stages for ordered resource deployment in kustomize-controller
  • Automatic GitHub App installation ID lookup from repository owners
Source

Knative

Orchestration & ManagementFeb 24, 2026

Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

Key changes (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
Source

KubeVirt

Orchestration & ManagementFeb 23, 2026

KubeVirt v1.7.1 delivers critical bug fixes for live migration, volume hotplug, and VM snapshot operations, along with enhanced monitoring capabilities and security updates.

  • securityUpdate to address crypto dependency vulnerabilities

    The golang.org/x/crypto dependency was updated to v0.45.0 to address security issues. Plan to upgrade to this version promptly, especially in production environments handling sensitive workloads, as crypto vulnerabilities can impact VM security.

  • breakingCross-vendor migration prevention requires review

    KubeVirt now prevents cross-vendor migrations which may break existing workflows that rely on migrating VMs between different infrastructure providers. Review your migration patterns and ensure source and target nodes use compatible virtualization stacks.

  • enhancementImplement ephemeral volume monitoring

    New metrics and alerts for ephemeral hotplug volumes improve operational visibility. Configure your monitoring stack to capture these new metrics and set up alerts for ephemeral volume lifecycle events to better track resource usage and potential issues.

Key changes (6)
  • Fixed decentralized live migration issues between volumes with different volumeModes
  • Resolved block volume hotplug breaking autoattachVSOCK functionality
  • Added ephemeral hotplug volume metrics and alerts for better monitoring
  • Fixed missing migration metrics that impacted observability
  • Updated security dependencies including golang.org/x/crypto to v0.45.0
  • Enhanced VM export functionality to work with PVCs from completed pods
Source

Argo

CI/CD & App DeliveryFeb 22, 2026

Argo CD v3.3.2 fixes the critical client-side apply migration issue that affected self-managed installations in v3.3.0/v3.3.1, requiring specific upgrade steps for users managing Argo CD with itself.

  • breakingEnable ServerSideApply for Self-Managed Installations

    If you have an Argo CD Application managing your Argo CD installation, you must enable `ServerSideApply=true` sync option on that Application before upgrading to v3.3.2. This is required for the upgrade to succeed and prevents apply migration failures.

  • breakingRemove Temporary ClientSideApplyMigration Setting

    If you previously upgraded to v3.3.0/v3.3.1 and set `ClientSideApplyMigration=false` as a workaround, remove this setting after upgrading to v3.3.2. Keeping it may cause field manager conflicts with other Kubernetes controllers.

  • enhancementSafe Upgrade Path for Previously Affected Users

    Users affected by the v3.3.0/v3.3.1 client-side apply migration bug can now safely upgrade to v3.3.2. Follow the upgrade guide carefully and test the upgrade process in a non-production environment first, especially for self-managed installations.

Key changes (4)
  • Fixed client-side apply migration failure that prevented successful upgrades in v3.3.0/v3.3.1
  • Resolved conflicts between Argo CD field manager and other Kubernetes field managers
  • Updated documentation to clarify upgrade requirements for self-managed installations
  • Maintained SLSA Level 3 provenance and cosign signatures for all container images
Source

Contour

Networking & MessagingFeb 20, 2026

Contour v1.33.2 is a maintenance release that fixes a critical HTTPProxy status update bug, upgrades Go to v1.25.7, and improves CPU allocation for the shutdown-manager container.

  • securityUpgrade for Go security patches

    Go v1.25.7 includes security fixes and performance improvements. Schedule an upgrade to benefit from these updates, especially if you're running production workloads with previous Contour versions.

  • breakingFix HTTPProxy status update issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, this release fixes the CRD schema issue. Upgrade immediately if you rely on status fields for monitoring or automation.

  • enhancementImproved Gateway Provisioner performance

    The increased CPU limit for shutdown-manager prevents throttling issues. If you're using Contour Gateway Provisioner and experiencing slow shutdown operations, this upgrade will improve performance.

Key changes (4)
  • Go runtime updated to v1.25.7 for latest security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Increased shutdown-manager CPU limit from 50m to 200m in Gateway Provisioner to prevent throttling
  • Maintains compatibility with Kubernetes versions 1.32 through 1.34
Source

Contour

Networking & MessagingFeb 20, 2026

Contour v1.32.3 is a maintenance release that updates Go runtime to v1.24.13 and fixes a critical CRD schema bug preventing load balancer status updates.

  • securityUpdate for Go Security Fixes

    Go v1.24.13 includes security patches. Schedule upgrade to v1.32.3 during your next maintenance window to benefit from runtime security improvements and bug fixes.

  • breakingFix Load Balancer Status Issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, upgrade immediately. The CRD schema fix resolves status reporting issues that could affect traffic routing visibility and monitoring.

Key changes (4)
  • Go runtime updated to v1.24.13 with security fixes and improvements
  • Fixed HTTPProxy CRD schema bug that incorrectly marked status.loadBalancer.ingress[].ports[].error as required field
  • Resolved load balancer status update failures affecting ingress traffic routing
  • Maintained compatibility with Kubernetes versions 1.31 through 1.33
Source

Kyverno

SecurityFeb 19, 2026

Kyverno v1.17.1 is a focused patch release fixing a CVE, multiple crash/panic conditions, race conditions, and image verification bugs that could silently misbehave in production.

  • securityPatch CVE-2025-68121 now

    CVE-2025-68121 is fixed in this release. Details on scope are limited in the notes, but any CVE fix in an admission controller warrants immediate attention. If you're on v1.17.0, upgrade to v1.17.1 before doing anything else. Don't wait for your next maintenance window.

  • breakingVerify your policy exclusion rules if you use empty lists

    A bug was fixed where an empty list in a policy exclusion would silently exclude ALL resources instead of none. If you have any ClusterPolicy or Policy with exclusion blocks, audit them now. If you were unknowingly relying on empty-list-as-exclude-all behavior (unlikely but possible), your policies will now behave correctly — meaning resources that were previously skipped will now be evaluated.

  • enhancementImage verification with TSA and private registries is now reliable

    Two separate ivpol fixes land here: signed timestamp verification is now correctly enabled when a TSACertChain is provided, and private registry secrets in the Kyverno namespace are now used during background report scanning. If you've been seeing unexpected verification failures in background scans or with TSA-based signature policies, upgrade and re-run your report scans to get accurate results.

Key changes (5)
  • CVE-2025-68121 patched — update immediately if running v1.17.0
  • Panic fixed in metrics wrapper when generate response returns no result — previously could crash the controller
  • Race conditions eliminated in configuration.IsExcluded() and ReportsBreaker — affected correctness under concurrent load
  • Image verification (ivpol) fixes: private registry auth now works in reports scanner, multi-signature annotation validation bug resolved, and TSA signed timestamp verification enabled when cert chain is provided
  • Empty list in policy exclusion no longer silently excludes all resources — a subtle but dangerous behavioral bug
Source

Fluentd

ObservabilityFeb 19, 2026

Fluentd v1.19.2 delivers critical bug fixes for socket leaks and connection timeouts, with Ruby 4.0 compatibility improvements. Priority fix for production stability issues affecting out_forward and HTTP server plugins.

  • securityUpgrade immediately to fix socket leak vulnerability

    HTTP server plugin had socket leaks in POST requests that could lead to resource exhaustion. This is a critical fix for production environments using HTTP input plugins. Update immediately and monitor socket usage after deployment.

  • breakingUpdate out_forward configurations for timeout handling

    The out_forward plugin now properly handles connection timeouts to prevent infinite loops. Review your forward output configurations and monitor for any connection behavior changes, especially in high-throughput environments where connection stability is critical.

  • enhancementPrepare for Ruby 4.0 migration

    This release adds Ruby 4.0 compatibility with updated gem dependencies including ostruct and net-http. Plan your Ruby upgrade path and test this version in staging environments if you're planning to move to Ruby 4.0.

Key changes (5)
  • Fixed out_forward plugin timeout issue preventing infinite connection loops
  • Resolved socket leaks in HTTP server plugin POST requests
  • Fixed in_tail plugin errors when encountering unreadable files in glob patterns
  • Added Ruby 4.0 compatibility with updated gem dependencies
  • Fixed duplicate config file loading in config_include_dir
Source

Strimzi

Networking & MessagingFeb 19, 2026

Strimzi 0.50.1 is a critical security patch addressing two CVEs affecting versions 0.47.0+, with mandatory CRD upgrades and final support for Kubernetes 1.27-1.29.

  • securityImmediate upgrade required for CVE fixes

    If running Strimzi 0.47.0 or newer, immediately review the CVE advisories and upgrade to 0.50.1. These are critical security vulnerabilities that require urgent patching in production environments.

  • breakingUpdate KafkaUser resources before upgrading

    Before upgrading, update all KafkaUser resources to use .spec.authorization.acls[]operations field instead of the deprecated .spec.authorization.acls[]operation field to avoid compatibility issues.

  • breakingPlan Kubernetes upgrade for Strimzi 0.51+

    This is the final version supporting Kubernetes 1.27-1.29. Plan to upgrade your clusters to Kubernetes 1.30+ before upgrading to Strimzi 0.51.0 or newer to maintain compatibility.

Key changes (5)
  • Fixes two critical security vulnerabilities CVE-2026-27133 and CVE-2026-27134 affecting Strimzi 0.47.0+
  • Includes full CA chain in broker certificates for improved TLS certificate validation
  • Fixes bugs in v1 API conversion tool for number conversions and empty YAML handling
  • Last version supporting Kubernetes 1.27, 1.28, and 1.29 - future versions require K8s 1.30+
  • Continues migration to v1 APIs with mandatory CRD upgrades, especially critical for Helm users
Source
Browse by month