RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Mar 2026Clear ×

cert-manager

SecurityMar 10, 2026

cert-manager v1.20.0 introduces Gateway API ListenerSet support, Azure Private DNS integration, and promotes OtherNames to Beta, while fixing several ACME and DNS-related bugs.

  • securityUpdate for DNS DoS vulnerability fix

    A moderate security issue allowed attackers to cause controller denial-of-service through malformed DNS responses. Update immediately if your cert-manager controllers are exposed to untrusted DNS servers or networks where DNS traffic could be manipulated.

  • breakingContainer UID/GID changes affect security contexts

    Default container user changed from UID 1000 to 65532, and group from GID 0 to 65532. Review your pod security policies, security contexts, and file permissions if you've hardcoded these values or rely on root group access.

  • enhancementEnable Azure Private DNS for internal certificate management

    New Azure Private DNS support allows DNS-01 challenges for private zones. Configure your Azure DNS issuer with private zone settings to manage certificates for internal services without exposing DNS records publicly.

Key changes (5)
  • Gateway API ListenerSet resource support with experimental feature gate
  • Azure Private DNS zones support for DNS-01 challenges
  • OtherNames feature promoted to Beta and enabled by default
  • Network policy configuration flags across all containers
  • Enhanced Venafi provider with custom fields annotation support
Source

Harbor

Storage & DataMar 10, 2026

Harbor v2.13.5 focuses on security improvements with stricter bearer token validation and removes sensitive configuration data from audit logs.

  • securityBearer token security enforcement requires review

    Harbor now rejects bearer tokens issued before project creation, which could break existing integrations using older tokens. Audit your CI/CD pipelines and automation scripts that authenticate with Harbor to ensure they regenerate tokens after this upgrade.

  • enhancementAudit log cleanup improves security posture

    Configuration payloads are no longer logged in audit trails, reducing exposure of sensitive settings. Review your log monitoring and compliance processes to ensure they still capture necessary security events without relying on configuration data in logs.

  • enhancementUpdated Trivy brings latest vulnerability definitions

    Trivy v0.69.3 includes newer vulnerability databases and detection rules. Schedule a rescan of your container images to identify any newly discovered vulnerabilities that weren't caught in previous scans.

Key changes (5)
  • Removed payload from configuration audit logs to prevent sensitive data exposure
  • Enhanced bearer token security by rejecting tokens issued before project creation
  • Updated Trivy scanner to v0.69.3 and adapter to v0.35.1 for latest vulnerability detection
  • Upgraded Go runtime and base container images for security patches
  • Fixed CI pipeline compatibility with newer Docker versions
Source

Harbor

Storage & DataMar 10, 2026

Harbor v2.14.3 delivers critical security fixes for bearer token validation and updates Trivy scanner to version 0.69.3, focusing on hardening authentication mechanisms and keeping vulnerability detection current.

  • securityUpdate immediately for bearer token fix

    This release patches a security flaw where Harbor accepted bearer tokens issued before project creation. Deploy v2.14.3 immediately if you use token-based authentication, as this could allow unauthorized access to projects.

  • enhancementBenefit from updated Trivy scanning

    Trivy v0.69.3 includes the latest vulnerability database and detection capabilities. Schedule a rescan of your critical images after upgrading to catch newly discovered vulnerabilities that older versions missed.

  • enhancementReview audit log configurations

    Sensitive payload data has been removed from configuration audit logs to prevent credential exposure. Verify your log monitoring tools still capture the security events you need after this change.

Key changes (5)
  • Bearer token security fix preventing acceptance of tokens issued before project creation
  • Trivy vulnerability scanner updated to v0.69.3 with adapter v0.35.1
  • Configuration audit log no longer includes sensitive payload data
  • Base image refresh and Go dependency updates for improved security posture
  • GitHub Actions workflows migrated to ubuntu-latest runners
Source

Dapr

Orchestration & ManagementMar 9, 2026

Dapr 1.17.1 fixes critical runtime issues including WASM component registration failures on production architectures and workflow cleanup problems.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components were completely broken on production architectures in v1.16.0-v1.17.0. Applications using these components failed to start. Test your WASM components after upgrading to confirm they register and function correctly.

  • enhancementExpect placement service performance improvements

    Large clusters with many non-actor sidecars will see reduced placement overhead. Monitor placement service metrics and actor invocation latency—you should observe fewer lock cycles and improved performance, especially during sidecar restarts.

  • enhancementReview workflow cleanup configurations

    Previously stalled workflows that became unstalled can now be properly cleaned up. Verify your state retention policies are working as expected and check for any workflow instances that should have been purged but weren't.

Key changes (4)
  • WASM binding and middleware components now register properly on amd64/arm64/arm architectures after filename build constraint fix
  • Previously stalled workflows can now be cleaned up by state retention policies and purge APIs
  • Placement service no longer triggers unnecessary dissemination cycles for sidecars without actor types
  • Bulk subscription timers properly reset after early dispatch due to message count limits
Source

Argo

CI/CD & App DeliveryMar 9, 2026

Argo CD v3.3.3 delivers targeted bug fixes for CNPG actions, hook annotations, and resource health checks, maintaining stability without introducing breaking changes.

  • enhancementUpdate CNPG Integration Configuration

    Teams using CloudNativePG with Argo CD should verify their suspend/resume actions work correctly after upgrading. The annotation fix ensures proper CNPG cluster lifecycle management through Argo CD workflows.

  • enhancementReview Multi-Hook Resource Configurations

    Applications using multiple PreDelete or PostDelete hooks with comma-separated annotations will now execute properly. Audit existing applications with complex hook configurations to ensure expected behavior.

  • enhancementValidate Cross-Namespace Resource Dependencies

    Complex applications with multi-level cross-namespace dependencies involving cluster-scoped resources should now traverse correctly. Test existing applications that previously showed incomplete resource trees or sync issues.

Key changes (6)
  • Fixed CNPG suspend/resume actions using correct annotations
  • Corrected comma-separated hook annotations for PreDelete/PostDelete hooks
  • Improved resource health checks with proper drySha handling
  • Fixed standard resource icon display issues in UI
  • Enhanced kubeversion consistency with Helm version 3.3
  • Resolved multi-level cross-namespace hierarchy traversal for cluster-scoped resources
Source

NATS

Networking & MessagingMar 9, 2026

NATS v2.12.5 delivers critical security fixes for leafnode compression and WebSocket vulnerabilities, while significantly improving JetStream backup performance and fixing numerous stability issues in filestore operations.

  • securityUpdate immediately for critical CVE fixes

    Two CVEs affect production systems: CVE-2026-29785 impacts leafnode compression and CVE-2026-27889 affects WebSocket connections. Both can cause server panics or security issues. Schedule maintenance window to update all NATS servers running v2.12.4 or earlier.

  • enhancementOptimize JetStream backups for unreliable networks

    Stream backups now support window_size parameter for better flow control. If you run backups over slow or unreliable connections, configure appropriate window sizes to improve throughput and reduce backup failures. Test with your network conditions to find optimal values.

  • enhancementReview async metalayer snapshot behavior

    Metalayer snapshots now run asynchronously to prevent blocking JS API operations. This improves performance but changes timing behavior. If your applications rely on synchronous snapshot timing, set `meta_compact_sync: true` in jetstream config block to restore previous behavior.

Key changes (5)
  • Critical CVE fixes for leafnode compression (CVE-2026-29785) and WebSocket parsing (CVE-2026-27889)
  • JetStream stream backups now use improved flow control with window_size parameter for better performance over unreliable connections
  • Metalayer snapshots now run asynchronously by default to prevent blocking JS API operations
  • Fixed multiple filestore race conditions and lock leaks that could cause crashes or performance degradation
  • WebSocket handling improvements including proper frame validation and compression state management
Source

NATS

Networking & MessagingMar 9, 2026

NATS v2.11.14 is a critical security release addressing two CVEs affecting leafnode compression and WebSocket features, plus multiple stability fixes to prevent server panics.

  • securityUpgrade immediately if using leafnodes or WebSockets

    Two CVEs affect common NATS configurations. If you have leafnode compression or WebSocket features enabled, upgrade immediately to prevent potential security exploits. Check your configuration for 'compression: enabled' in leafnode sections or 'websocket' listeners.

  • securityReview WebSocket Origin validation settings

    Origin header validation now includes protocol scheme verification. Audit your WebSocket client configurations to ensure they specify correct origins (including https:// or wss:// schemes) to avoid connection rejections after upgrade.

  • enhancementMonitor for reduced panic incidents

    This release fixes multiple panic conditions in leafnode and WebSocket handling. After upgrading, you should see fewer unexpected server restarts. Review your monitoring dashboards to confirm improved stability metrics.

Key changes (5)
  • Fixes CVE-2026-29785 affecting leafnode compression systems
  • Fixes CVE-2026-27889 affecting WebSocket-enabled deployments
  • Prevents server panics from leafnode subscription race conditions
  • Improves WebSocket frame parsing and payload validation
  • Enhanced Origin header validation for WebSocket security
Source

Open Policy Agent (OPA)

SecurityMar 9, 2026

OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

Key changes (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
Source

Dragonfly

Storage & DataMar 9, 2026

Dragonfly v2.4.2 adds gRPC rate limiting and scheduler cluster configuration while improving security scores and fixing several configuration inconsistencies.

  • breakingUpdate configuration files for renamed fields

    The rateLimit configuration field was renamed to bandwidthLimit. Check your configuration files and update any references to use the new naming convention to avoid configuration parsing errors.

  • enhancementConfigure gRPC rate limiting for production

    The new gRPC rate limiting feature protects against resource exhaustion attacks. Review your current traffic patterns and configure appropriate rate limits in your Dragonfly configuration to prevent service degradation under load.

  • enhancementLeverage new scheduler cluster management

    With scheduler cluster de-registration support, implement proper cluster lifecycle management in your deployment scripts. This helps maintain cluster health and prevents orphaned schedulers from affecting performance.

Key changes (5)
  • Added gRPC server request rate limiting to prevent resource exhaustion
  • Introduced scheduler cluster de-registration support for better cluster management
  • Added seed client configuration support for improved peer connectivity
  • Refactored configuration naming for consistency (rateLimit → bandwidthLimit)
  • Upgraded API to v2.2.14 and multiple dependency updates for security patches
Source

Jaeger

ObservabilityMar 7, 2026

Jaeger v2.16.0 introduces breaking changes requiring Go 1.25.7 and removes legacy remote sampling format, while improving ClickHouse performance and adding Elasticsearch health-check timeout support.

  • breakingUpgrade Go to version 1.25.7 before deploying

    The Go version requirement is now enforced across the codebase. Teams running older Go versions will face build failures. Update your build environments, CI/CD pipelines, and container images to Go 1.25.7 before attempting to upgrade or build from source.

  • breakingUpdate remote sampling client integrations

    The legacy remote sampling endpoint response format has been removed. If your applications use custom remote sampling clients that depend on the old format, they will break. Review your sampling configuration and update any custom clients to use the current format before upgrading.

  • enhancementEnable Elasticsearch health-check timeout for improved startup reliability

    New startup health-check timeout configuration prevents indefinite blocking during Elasticsearch connectivity issues. Add health-check timeout settings to your Elasticsearch storage configuration to improve service startup reliability in environments with intermittent connectivity.

Key changes (6)
  • Go version requirement bumped to 1.25.7 across the entire codebase
  • Legacy remote sampling endpoint response format removed
  • ClickHouse query performance improved through findtraceids restructuring
  • Elasticsearch health-check timeout support added for startup reliability
  • HTTP servers migrated from Gorilla Mux to stdlib http.ServeMux
  • UI fixes for critical path visualization and v3 API client base path handling
Source

Dapr

Orchestration & ManagementMar 6, 2026

Dapr 1.16.10 fixes critical WASM component registration failures on production architectures and patches security vulnerabilities in Go runtime and OpenTelemetry SDK.

  • securityUpdate for Go runtime and OpenTelemetry security patches

    This release patches vulnerabilities in Go 1.25.7 (crypto/tls, go command) and OpenTelemetry SDK (arbitrary code execution via PATH hijacking). Plan your upgrade within your normal security patching window, prioritizing environments where PATH manipulation is possible.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components have been completely broken on production architectures since v1.16.0. If you're using these components and running v1.16.0-v1.16.9, upgrade to v1.16.10 immediately as your WASM components are silently failing to register.

  • enhancementReview Pulsar Avro message publishing for early error detection

    Pulsar PubSub now validates JSON messages against Avro schemas before publishing, catching malformed data earlier. Test your Pulsar publishing workflows to ensure they handle the new validation errors gracefully and benefit from faster codec performance.

Key changes (5)
  • Fixed WASM binding and middleware components failing to register on amd64/arm64 architectures due to filename collision with Go build constraints
  • Added Pulsar PubSub Avro schema validation to prevent malformed messages from being published without error feedback
  • Updated Go runtime to 1.25.7 with security fixes for crypto/tls and go command vulnerabilities
  • Upgraded OpenTelemetry SDK to v1.40.0 to patch arbitrary code execution vulnerability (GO-2026-4394)
  • Cached Pulsar Avro codec compilation at initialization for improved publishing performance
Source

CoreDNS

Kubernetes CoreMar 6, 2026

CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

Key changes (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
Source

Linkerd

Networking & MessagingMar 6, 2026

Edge release focused on dependency maintenance with proxy updates to v2.341.0. Notable addition of extra attributes in Kubernetes SubjectAccessReview for improved authorization handling.

  • enhancementEvaluate SubjectAccessReview improvements for RBAC

    The addition of extra attributes in SubjectAccessReview requests improves authorization evaluation accuracy. Review your current RBAC policies to ensure they handle additional context properly, especially if using custom authorization webhooks or detailed access controls.

  • enhancementMonitor proxy performance after v2.341.0 update

    Three proxy version bumps indicate active development. Test performance and connection handling in your environment, particularly if you've experienced proxy-related issues. The incremental updates suggest gradual improvements rather than breaking changes.

Key changes (5)
  • Proxy updated from v2.339.0 to v2.341.0 across multiple incremental releases
  • Major dependency updates including Tokio v1.50.0, axum v0.8.8, and Kubernetes client libraries
  • SubjectAccessReview now includes extra attributes for enhanced RBAC evaluation
  • Security framework updates including aws-lc-rs to v1.16.0 and rustls-pki-types to v1.14.0
  • GitHub Actions updated to newer versions (upload-artifact v7.0.0, download-artifact v8.0.0)
Source

Strimzi

Networking & MessagingMar 6, 2026

Strimzi 0.51.0 addresses critical CVEs and drops support for Kubernetes versions below 1.30, while adding Kafka 4.2.0 support and moving ServerSideApplyPhase1 to beta.

  • securityUpgrade immediately for CVE fixes

    Two critical CVEs affect Strimzi 0.47.0 and newer versions. Review the security advisories to determine if your deployment is affected, then upgrade to 0.50.1 or 0.51.0 immediately. The CVE numbers appear to be from 2026, which suggests these may be embargoed vulnerabilities with delayed disclosure.

  • breakingVerify Kubernetes compatibility before upgrading

    Strimzi 0.51.0 requires Kubernetes 1.30+. Check your cluster version before upgrading. If running Kubernetes 1.27-1.29, upgrade your cluster first or remain on an earlier Strimzi version until cluster upgrade is possible.

  • breakingUpdate CRDs and KafkaUser resources during upgrade

    Manually upgrade CRDs as part of the Strimzi upgrade process, especially when using Helm. For clusters upgrading from 0.48 or older, update KafkaUser resources to use the new `.spec.authorization.acls[]operations` field format before upgrading.

Key changes (5)
  • Critical security fixes for CVE-2026-27133 and CVE-2026-27134 requiring immediate upgrade from versions 0.47.0+
  • Kubernetes 1.30+ now required - versions 1.27, 1.28, and 1.29 no longer supported
  • Added Kafka 4.2.0 support while removing Kafka 4.0.0 and 4.0.1 compatibility
  • Per-listener Kafka configuration options now available for connection limits and reauthentication settings
  • Ingress listener type deprecated due to upstream project archival in March 2026
Source

Keycloak

SecurityMar 5, 2026

Keycloak 26.5.5 is a critical security release addressing four SAML broker vulnerabilities that could allow authentication bypass and unauthorized access in production environments.

  • securityImmediate upgrade required for SAML users

    These CVEs affect SAML broker configurations and could allow authentication bypass. If you use SAML identity providers or broker functionality, schedule emergency maintenance to upgrade immediately. Review your disabled SAML providers to ensure they're properly secured post-upgrade.

  • securityAudit SAML broker configurations

    After upgrading, verify that disabled SAML identity providers are truly disabled and cannot process authentication requests. Check your IdP-initiated login flows and ensure encryption is working correctly for SAML assertions.

Key changes (4)
  • Fixed CVE-2026-3047: SAML broker authentication bypass when disabled client completes IdP-initiated login
  • Resolved CVE-2026-3009: Improper enforcement of disabled identity providers in broker service
  • Patched CVE-2026-2603: Disabled SAML IdPs incorrectly allowing IdP-initiated logins
  • Secured CVE-2026-2092: SAML broker encrypted assertion injection vulnerability
Source

SPIRE

SecurityMar 3, 2026

SPIRE v1.14.2 addresses two critical security vulnerabilities in server node attestor plugins that could enable SSRF attacks and CPU exhaustion.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two security issues affect SPIRE servers using http_challenge or x509pop attestors. The SSRF vulnerability lets attackers redirect servers to unauthorized domains and extract response data. The x509pop DoS vulnerability allows CPU exhaustion attacks. Update to v1.14.2 immediately if you use either attestor plugin.

Key changes (3)
  • Fixed SSRF vulnerability in http_challenge server node attestor plugin
  • Resolved CPU exhaustion issue in x509pop server node attestor plugin
  • Both vulnerabilities could be exploited by attackers during node attestation
Source

SPIRE

SecurityMar 3, 2026

SPIRE v1.13.4 fixes two critical security vulnerabilities in node attestor plugins that could enable SSRF attacks and CPU exhaustion attacks.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two severe vulnerabilities affect node attestation security. The http_challenge plugin SSRF flaw lets attackers probe internal networks, while the x509pop plugin can be exploited for DoS attacks. Update to v1.13.4 immediately and audit recent attestation logs for suspicious activity.

  • securityReview node attestor plugin configurations

    If you use http_challenge or x509pop attestor plugins, verify your network security controls and consider temporary restrictions on node attestation endpoints until the upgrade is complete. Monitor CPU usage patterns during attestation processes.

Key changes (4)
  • Fixed SSRF vulnerability in http_challenge server node attestor allowing attackers to redirect server requests
  • Patched CPU exhaustion attack vector in x509pop server node attestor plugin
  • Both vulnerabilities affected the node attestation process used for workload identity verification
  • Security fixes address potential unauthorized access and denial of service scenarios
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

Key changes (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.

  • breakingTest systemd workloads with user namespaces

    A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.

  • enhancementConfigure TLS settings for production security

    New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.

  • enhancementVerify runc v1.4.0 compatibility

    The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.

Key changes (5)
  • Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
  • Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
  • Improved OCI artifact pull fallback logic to skip retries on retryable errors
  • Updated runc to v1.4.0 and multiple dependency versions for stability
  • Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options
Source

CRI-O

Kubernetes CoreMar 3, 2026

CRI-O v1.34.6 is a maintenance release with no functional changes, dependencies, or fixes - purely a version bump from v1.34.5.

  • enhancementSkip this release unless forced by policy

    This release contains zero functional changes. Stay on v1.34.5 unless your organization requires running the latest patch version for compliance reasons. Save the upgrade effort for a release that brings actual improvements.

Key changes (4)
  • No code changes between v1.34.5 and v1.34.6
  • No dependency updates or removals
  • Release artifacts available for amd64, arm64, ppc64le, and s390x architectures
  • SBOM and signature verification support maintained
Source
← Newer
Browse by month