RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

metal3-io

Provisioning & RuntimeMay 8, 2026

metal3-io v0.13.0 drops the iRMC driver, deprecates BMH firmware spec, and ships HostClaim CRDs plus multi-arch PXE boot — a release with real breaking changes that demand pre-upgrade review.

  • breakingAudit iRMC usage and BMH.Spec.Firmware fields before upgrading

    The iRMC driver is gone — any BareMetalHost resources targeting iRMC BMC endpoints will stop reconciling after upgrade. Separately, BMH.Spec.Firmware is now deprecated; while it won't immediately break, you should plan migration to the replacement API. Scan your BMH manifests and Helm values for both before touching production.

  • breakingVerify CAPI and controller-runtime compatibility in your management cluster

    The jump to CAPI v1.13.1 and controller-runtime v0.23.3 is not trivial. If you run other CAPI providers alongside metal3, check their compatibility matrices now. A version mismatch between providers sharing the same management cluster can cause subtle CRD conflicts or webhook failures at runtime.

  • enhancementAdopt HostClaim CRDs for declarative bare-metal host allocation

    HostClaim and HostClaimSet resources give you a Kubernetes-native way to request and reserve bare-metal capacity without writing custom controllers. If you're currently managing host allocation through scripts or external tooling, evaluate whether HostClaim covers your use case — it's now feature-complete enough to replace simple reservation workflows.

Key changes (5)
  • iRMC driver removed entirely; BMH.Spec.Firmware deprecated — clusters using either must migrate before upgrading
  • CAPI bumped to v1.13.1, controller-runtime to v0.23.3, k8s group to v0.35.4 — dependency chain has shifted substantially
  • New HostClaim and HostClaimSet CRDs with Association logic now available for declarative host reservation workflows
  • Multi-architecture PXE boot support added, covering both x86_64 and aarch64 workloads
  • Per-host pull secrets for external OCI registries and forced Ironic host detachment are now supported
Source

wasmCloud

Orchestration & ManagementMay 7, 2026

wasmCloud v2.1.0 delivers operator reliability fixes, plugin support in services, and a wave of CI security hardening — a solid incremental release with a few operator-side changes worth watching.

  • securityBump wasmtime and run cargo audit in your own builds

    wasmtime was bumped alongside the removal of rustls-pemfile and the addition of cargo audit to the build pipeline. If you build wasmCloud components from source or maintain forks, add cargo audit to your own CI now. The dependency surface for WASM runtimes shifts fast, and catching advisories early matters.

  • breakingOperator readiness behavior changed — review your health checks

    The operator now only marks WorkloadDeployment as Ready when replicas are actually available. If your CI/CD pipelines or monitoring poll readiness status, they'll behave more correctly — but any tooling that relied on the previous optimistic Ready state may see deployments appear 'stuck' longer. Validate your rollout timeout thresholds after upgrading.

  • enhancementPlugin support in services opens new extension patterns

    Services now support plugins, which means you can attach custom behavior at the service layer without forking core components. If you've been waiting to extend service behavior in a maintainable way, this is the release to experiment with. Start by reviewing the updated service plugin API in the docs before designing new integrations.

Key changes (5)
  • WorkloadDeployment readiness now gates on actual replica availability, fixing misleading 'Ready' states in the operator
  • NATS subscription workload readiness fixed — previously reported ready before subscriptions were actually established
  • Plugin support added to services, expanding extensibility for service-layer customization
  • wasmtime bumped and cargo audit added for ongoing supply chain security hygiene
  • OpenSSF Scorecard and CodeQL workflows added to CI, alongside broader zizmor-based hardening
Source

Vitess

Storage & DataMay 7, 2026

Vitess v24.0.1 is a focused patch release fixing a VTGate query planner bug with DML subqueries, reverting a problematic VTOrc flag, and resolving flaky VTTablet unit tests.

  • breakingRemove VTOrc --cells-to-watch flag if you added it

    The 'cells to watch' flag introduced in #19354 has been reverted. If you added this flag to your VTOrc configuration or startup scripts after upgrading to v24.0.0, remove it before upgrading to v24.0.1 — VTOrc will fail to start with an unrecognized flag error.

  • enhancementUpgrade if you use DML subqueries through VTGate

    A query planner bug affected IN/NOT IN subqueries inside DML statements (INSERT/UPDATE/DELETE). Merged subqueries weren't being substituted correctly via ListArg placeholders, which could produce wrong query behavior. If your application runs DML with subqueries routed through VTGate, this patch directly addresses that correctness issue — upgrade promptly.

Key changes (4)
  • VTGate planner fix: DML IN/NOT IN subqueries now correctly use ListArg placeholders after merging — prevents potential query correctness issues
  • VTOrc reverted the 'cells to watch' flag (#19354) — if you applied that flag in v24.0.0, it's now gone and configs referencing it will need cleanup
  • VTTablet flaky unit tests fixed in go/mysql and vreplication — shared root cause addressed, improving CI reliability
  • vtcombo startup hang fixed — previously could block for up to 10 minutes if vtcombo exited during startup
Source

Vitess

Storage & DataMay 7, 2026

v23.0.4 is a stability-focused patch release fixing multiple panics in VTOrc, VTGate, and ERS, plus critical VReplication and routing rule bugs that could silently misdirect traffic.

  • securityGo upgraded to 1.25.9 — check your custom builds

    The Go runtime was bumped from 1.25.8 to 1.25.9 within this release cycle. If you build Vitess from source or maintain custom images, rebuild against go1.25.9 to pick up any runtime-level fixes included in that Go patch release.

  • breakingUpgrade immediately if you use ERS or semi-sync replication

    Three separate ERS bugs were fixed: nil pointer panics during errant GTID detection, broken cancellation logic, and IO threads not restarting on replicas after ERS failure. Any of these can leave your cluster in a degraded state after a failover. If you run semi-sync with VTOrc, the ReplicationStopped + PrimarySemiSyncBlocked deadlock fix is equally critical — it could stall recovery entirely. Upgrade before your next planned maintenance window at the latest.

  • enhancementRouting rule and schema-tracker fix affects multi-keyspace setups

    VTGate was not rebuilding routing rules after schema-tracker updates, and was dropping the target keyspace during routing rule AST rewrites. Both are silent bugs — queries appear to work but may land on the wrong keyspace. If you use routing rules with multiple keyspaces, validate query routing behavior after upgrading to confirm traffic is going where you expect.

Key changes (5)
  • Fixed panic in VTOrc when handling ReplicationStopped + PrimarySemiSyncBlocked recovery simultaneously — a deadlock risk in HA scenarios
  • EmergencyReparentShard (ERS) fixes: nil pointer panic in errant GTID detection, broken cancellation in reparentReplicas(), and IO thread restart failures after ERS failure
  • VTGate: routing rules now correctly rebuild after schema-tracker updates, and target keyspace is preserved when routing rules rewrite table AST — both are silent correctness bugs
  • VTGate: buffer no longer restarts after shutdown, preventing potential connection storms during controlled restarts
  • Go runtime upgraded to go1.25.9, and vitessdriver now correctly returns string for binary result values (regression fix)
Source

OpenFGA

SecurityMay 6, 2026

v1.15.1 is a stability patch fixing two serious runtime bugs — a potential deadlock in Check and a semaphore leak under context cancellation — plus a cache collision in the experimental weighted graph check.

  • securityCache key collision in `weighted_graph_check` could return incorrect authorization results

    If you're running the experimental `weighted_graph_check` feature, the cache collision bug means Check could return stale or wrong results for relationships in unions with direct types, wildcards, TTU paths, or intersections. This is an authorization correctness issue — wrong answers on permission checks. Upgrade before relying on this feature in any environment where correctness matters. If you can't upgrade immediately, disable the experimental feature flag.

  • breakingUpgrade immediately — deadlock and semaphore leak bugs affect production stability

    Two bugs here can quietly degrade running services. The deadlock in Check (message streams held open on error) can starve request processing over time. The semaphore leak in the bounded tuple reader under context cancellation means goroutine/resource exhaustion under load or timeout-heavy workloads. Neither requires config changes — just upgrade. If you've seen unexplained Check hangs or increasing resource pressure after cancellations, these are the culprits.

  • enhancementListObjects now handles short-circuit errors correctly

    A subtle bug was causing expected errors (non-fatal path short-circuits) to bubble up incorrectly in ListObjects responses. If you've seen unexpected errors returned from ListObjects queries that should have silently short-circuited, this fix resolves that. No action needed beyond upgrading — but worth re-validating ListObjects behavior in your test suite after the upgrade.

Key changes (5)
  • Fixed potential panic in command error handling
  • Fixed deadlock risk in Check by ensuring message streams close on error instead of hanging indefinitely
  • Fixed semaphore token leaks in the bounded tuple reader during context cancellation
  • Fixed cache key collisions in experimental `weighted_graph_check` affecting unions with multiple branches
  • Fixed incorrect error propagation in ListObjects when a path short-circuits
Source

Harbor

Storage & DataMay 6, 2026

Harbor v2.15.1 is a patch release focused on CVE fixes, security hardening, and several behavioral bug fixes including proxy cache, session management, and GC credential leak.

  • securityRedeploy now to stop Redis credentials leaking from GC job metadata

    Before this fix, the GC job stored the Redis URL (including credentials) in its extra attributes, which are accessible via the Harbor API and potentially logged. If you run GC jobs and have Redis auth configured, treat any previously captured GC job metadata as potentially containing plaintext credentials. Rotate Redis passwords and upgrade to v2.15.1 promptly.

  • securityCVE patches in base image — upgrade before your next scan cycle

    The Photon base image was updated specifically to address CVEs, then stabilized on photon:5.0. If you're running v2.15.0 in a security-conscious environment, your vulnerability scanner will likely flag the older image. Upgrade to v2.15.1 to clear those findings before they become audit issues.

  • enhancementSession behavior change: idle timeouts will now work as configured

    Background polling in the UI was silently keeping sessions alive indefinitely by resetting the TTL on every poll cycle. After this fix, sessions will actually expire when users are idle. If your org relies on session timeouts for compliance, this fix makes them effective. Warn users they may now be logged out after inactivity — this is correct behavior, not a regression.

Key changes (5)
  • Photon base image updated to fix CVEs; base image reverted to goharbor/photon:5.0
  • GC job now redacts Redis URL credentials from extra attributes — previously these could be exposed in logs or API responses
  • Background UI polling no longer renews session TTL, preventing phantom session extensions
  • DockerHub adapter now correctly calls /v2/auth/token for bearer token acquisition
  • go-jose and OpenTelemetry SDK dependencies bumped; Go runtime updated to 1.23.9
Source

Argo

CI/CD & App DeliveryMay 6, 2026

Argo CD 3.4.1 is the first 3.4 release (skipping 3.4.0), bringing a breaking cluster version format change for ApplicationSets, plus a large wave of bug fixes, performance improvements, and UI enhancements.

  • securityAdd X-Frame-Options/CSP headers and JWT logout invalidation

    Two security fixes landed: Swagger UI endpoints now return X-Frame-Options and Content-Security-Policy headers (mitigates clickjacking), and JWT tokens are invalidated server-side on logout (prevents session reuse after logout). Both are passive — no config changes needed — but if you run Argo CD behind a reverse proxy that strips security headers, verify the headers reach clients after upgrading.

  • breakingUpdate ApplicationSet cluster version labels before upgrading

    The kubernetes-version label format changed from Major.Minor (e.g., '1.29') to vMajor.Minor.Patch (e.g., 'v1.29.3') to match Helm 3.19.0. If you use ApplicationSet Cluster Generators with argocd.argoproj.io/auto-label-cluster-info, your existing cluster secrets carry the old format. After upgrading, update those secrets to use argocd.argoproj.io/kubernetes-version with the new format, or your cluster-version-based filters will stop matching. Check the 3.3-3.4 upgrade guide before rolling out.

  • enhancementAppSet controller and repo-server performance improvements worth monitoring

    Several perf fixes shipped: optimized parentUIDToChildren data structure, reduced secret deep-copies in the controller, parallel batching in CLI server-side diff, and optimized repoLock on checkout. If you've been seeing slow reconciliation or high CPU in the appset controller on large clusters, this upgrade should show measurable improvement. Monitor controller CPU and reconciliation latency metrics after rollout.

Key changes (5)
  • Breaking: Kubernetes cluster version format changed from Major.Minor to vMajor.Minor.Patch to align with Helm 3.19.0 behavior — ApplicationSet Cluster Generators using auto-label-cluster-info must update their label key
  • JWT tokens are now invalidated on logout, closing a session persistence gap
  • X-Frame-Options and CSP headers added to Swagger UI endpoints
  • Stack overflow fix for circular ownerRef processing in resource graphs — affects anyone with complex resource hierarchies
  • AppSet controller performance improved: optimized cluster secret fetching, application cache synchronization, and reduced secret deep-copies
Source

OpenYurt

Provisioning & RuntimeMay 6, 2026

OpenYurt v1.7.0 ships OTA image preheating for near-zero-downtime edge upgrades, label-driven YurtHub deployment, K8s-on-K8s support, and Kubernetes v1.34 compatibility — alongside removal of several deprecated components.

  • breakingAudit usage of removed components before upgrading

    YurtAppOverrider, YurtAppDaemon (controller + webhook), yurt-coordinator, and the delegate lease controller are gone. If your workloads or Helm charts reference any of these, they will break silently or fail to deploy post-upgrade. Audit your manifests, Helm values, and any automation scripts before cutting over. The NodePool CRD also moves to v1beta2 — verify your tooling handles the new API version and the renamed field (enableLeaderElections replaces enablePoolScopeMetadata).

  • enhancementAdopt OTA image preheating for edge DaemonSet upgrades

    If you manage DaemonSets on edge nodes with constrained or intermittent connectivity, the new ImagePreHeat controller is a practical fix for upgrade-induced downtime. Trigger preheating via the new OTA API endpoint before scheduling the rollout. Watch the PodImageReady condition to confirm images are cached before initiating the actual upgrade. This is especially valuable for large images or nodes behind slow WAN links.

  • enhancementSwitch to label-driven YurtHub onboarding

    The new YurtNodeConversionController lets you onboard and offboard edge nodes by applying a label — no more running yurtadm join manually per node. This is a meaningful operational improvement if you manage fleets of edge nodes. Start testing this workflow in a non-production node pool first, since it interacts with systemd directly and the feature is new in this release.

Key changes (5)
  • OTA upgrade now supports image preheating via a new ImagePreHeat controller, decoupling image pulls from rollout cutover to minimize downtime on slow/unstable edge networks
  • YurtNodeConversionController enables label-driven YurtHub installation and lifecycle management, replacing manual yurtadm join/reset workflows
  • K8s-on-K8s support added: deploy tenant Kubernetes control planes on top of an existing OpenYurt cluster, useful for multi-tenant isolation and edge IDC scenarios
  • NodePool CRD promoted to v1beta2, with leader election mechanics added to YurtHub — field renamed from enablePoolScopeMetadata to enableLeaderElections
  • YurtAppOverrider, YurtAppDaemon, yurt-coordinator, and the delegate lease controller are all removed in this release
Source

CRI-O

Kubernetes CoreMay 5, 2026

CRI-O v1.36.0 ships CNI health monitoring, configurable GOMAXPROCS injection, TLS hardening options, and a CVE fix — alongside a batch of race condition and cgroupv2 bug fixes.

  • securityPatch CVE-2026-35469 by upgrading to v1.36.0

    The spdystream dependency carried CVE-2026-35469. If you're running v1.35.x, this is a direct reason to upgrade. After upgrading, verify the release bundle with cosign against the signed bundle artifacts — the SLSA provenance and OpenVEX report are both available for this release.

  • breakingValidate CNI plugin behavior under new continuous health monitoring

    CRI-O now polls CNI plugins with STATUS after initial readiness. A plugin that was silently degraded will now actively set NetworkReady=false on the node, blocking pod scheduling. Before upgrading, confirm your CNI plugin properly implements the STATUS verb (Cilium, Calico, and Flannel do; older or custom plugins may not). Test in a non-production cluster first — this is a behavioral change that could surface latent CNI issues.

  • enhancementSet TLS minimums for the CRI-O API — don't leave defaults in production

    New `tls_min_version` and `tls_cipher_suites` options under `[crio.api]` let you enforce TLS 1.2+ and restrict weak cipher suites on the streaming and metrics endpoints. The default is TLS 1.2, but you should explicitly set `tls_min_version = TLS13` in security-sensitive environments and review your cipher suite policy. Update your configuration management (Ansible, SaltStack, etc.) to codify this before the next node rollout.

Key changes (5)
  • CVE-2026-35469 patched via spdystream dependency update — upgrade immediately if you're on v1.35.x
  • CNI plugin health is now continuously monitored via STATUS verb; unhealthy plugins flip the node to NetworkReady=false and self-heal on recovery
  • New `min_injected_gomaxprocs` config option sets a floor for GOMAXPROCS injected into every container, useful for CPU-constrained workloads
  • TLS 1.2/1.3 and cipher suite configuration added to the `[crio.api]` section for streaming and metrics servers
  • Fixed v1.35.0 regression: systemd containers with user namespaces (hostUsers: false) were failing with 'Permission denied' on cgroup creation
Source

wasmCloud

Orchestration & ManagementMay 5, 2026

A maintenance release focused on operator reliability, security hardening, and CI improvements. Key fixes address NATS workload readiness and Kubernetes operator deployment status accuracy.

  • securityWasmtime bump + cargo audit added — review your own Wasm supply chain

    This release bumps wasmtime and drops rustls-pemfile, while adding cargo audit to CI. If you're building custom wasmCloud components or providers in Rust, add cargo audit to your own pipelines now. The removal of rustls-pemfile suggests a dependency consolidation — check if any of your code directly imports it and update accordingly.

  • breakingOperator WorkloadDeployment readiness semantics changed

    The Ready condition on WorkloadDeployment now reflects actual replica availability rather than just the existence of the deployment. Any automation or health checks that relied on Ready=True firing quickly after deployment creation will now correctly wait for replicas to be up. Review any CD pipelines or readiness probes that poll WorkloadDeployment status — they should now behave more accurately, but may appear 'slower' to reach Ready.

  • enhancementNATS subscription readiness fix reduces false-positive healthy states

    Previously, hosts could report as ready before NATS subscriptions were actually established. After this fix, readiness is tied to actual subscription availability. If you're running wasmCloud in Kubernetes and using readiness gates or traffic routing based on host health, upgrade to get accurate readiness signals and avoid routing traffic to hosts that aren't yet fully connected.

Key changes (5)
  • Fixed NATS subscription workload readiness checks — hosts now correctly report ready state based on actual NATS sub availability
  • Kubernetes operator WorkloadDeployment Ready status now gates on actual replica availability, not just deployment creation
  • Bumped wasmtime, dropped rustls-pemfile, and added cargo audit to the build pipeline for supply chain security
  • HTTP router now returns typed RouteError with accurate HTTP status codes instead of generic errors
  • Upgraded async-nats to 0.47 and Go to 1.26 across the codebase
Source

Argo

CI/CD & App DeliveryMay 5, 2026

Argo CD v3.1.16 is a minor patch fixing a server-side double-delete error and bumping the SonarQube scan action dependency.

  • securityVerify cosign signatures after upgrading

    Every release is a good reminder to validate image provenance in your admission pipeline. Argo CD images meet SLSA Level 3 — if you're not yet enforcing signature verification at deploy time, now is a practical moment to wire that into your policy engine (e.g., Kyverno or OPA Gatekeeper).

  • enhancementApply patch if double-delete errors are hitting your workflows

    If your GitOps pipelines or operators occasionally retry delete operations (e.g., during cascade deletes or reconciliation loops), the previous behavior could surface spurious errors that confused alerting or caused retries to fail loudly. This fix cleans that up. Upgrade is low-risk given the narrow scope of changes.

Key changes (3)
  • Bug fix: server no longer throws an error when a second delete operation is attempted on the same resource
  • SonarQube scan action bumped from 5.2.0 to 8.0.0 in CI pipeline
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Longhorn

Storage & DataMay 5, 2026

Longhorn v1.11.2 is a stability-focused patch fixing CSI scheduling breakage in compute/storage split architectures, infinite replica scheduling loops, and memory bloat in longhorn-manager.

  • breakingFix CSI scheduling in compute/storage split clusters — action required

    If you run a dedicated compute/storage node architecture and use WaitForFirstConsumer PVCs, your pods may have been stuck pending due to compute nodes reporting 0 CSI capacity. Upgrade to v1.11.2 and configure the new CSIStorageCapacity setting to prevent capacity reporting on non-storage nodes. Check your Longhorn settings after upgrade and validate that pending PVCs now schedule correctly.

  • breakingReplica Auto-Balance infinite loop — upgrade if you use Auto-Balance

    A bug caused Replica Auto-Balance to enter an infinite scheduling loop, which wastes CPU and can destabilize volume operations. If Auto-Balance is enabled in your cluster, this is a strong reason to prioritize this patch. No config change needed after upgrade — the fix is in the reconciliation logic.

  • enhancementMemory savings in longhorn-manager — relevant for large clusters

    Informer caching for longhorn-manager has been optimized to reduce cluster-wide memory consumption. In large clusters with many nodes and volumes, this can meaningfully reduce the manager pod's footprint. No action required beyond upgrading, but worth monitoring memory usage before and after to quantify the improvement in your environment.

Key changes (5)
  • New setting to control CSIStorageCapacity reporting — fixes WaitForFirstConsumer scheduling failures on compute nodes without Longhorn disks
  • Replica Auto-Balance infinite scheduling loop bug fixed, which could cause runaway reconciliation
  • Replica rebuild progress capped at 100% — cosmetic but caused confusion under flaky network conditions
  • longhorn-manager memory reduced via optimized cluster-wide informer caching
  • Node exhaustion from backup inspect buildup under NFS latency conditions resolved
Source

CRI-O

Kubernetes CoreMay 5, 2026

v1.35.3 patches CVE-2026-35469, fixes a container stop panic and exit-code race, adds CNI health monitoring (then reverts it), and introduces GOMAXPROCS floor injection for containers.

  • securityPatch CVE-2026-35469 by upgrading to v1.35.3

    The spdystream dependency had a vulnerability (CVE-2026-35469) fixed by bumping to moby/spdystream v0.5.1. If you're running v1.35.x, upgrade to v1.35.3 now. There's no workaround — the fix is only in the updated binary.

  • breakingCNI health monitoring was added and then reverted in the same release

    CRI-O briefly added continuous CNI plugin health checks using the STATUS verb, which would have marked nodes NetworkReady=false on plugin failures. It was reverted before this release shipped because it caused bootstrapping regressions. Net result: no behavior change for CNI in v1.35.3. But if you saw this feature in changelogs and planned for it, don't — it's gone and will likely return in a future release with fixes.

  • enhancementUse 'min_injected_gomaxprocs' to prevent CPU underutilization in containers with low CPU requests

    Containers with very low cpu.request values can end up with GOMAXPROCS=1, throttling Go-based workloads. The new 'min_injected_gomaxprocs' config field sets a floor so CRI-O injects max(floor, cpu.request) as GOMAXPROCS. This is particularly useful for Go-based sidecars or agents that are request-constrained but need threading headroom. Set this in your CRI-O config if you run Go workloads with conservative CPU requests.

Key changes (6)
  • CVE-2026-35469 fixed via spdystream dependency bump from v0.5.0 to v0.5.1
  • Panic on concurrent StopContainer calls fixed — this was a real crash risk in high-churn environments
  • Exit code 255 race condition resolved for fast-exiting containers
  • New 'min_injected_gomaxprocs' config option sets a floor for GOMAXPROCS injected into every container
  • CNI health monitoring (STATUS verb polling) was added then immediately reverted due to node bootstrapping regressions — net effect is no CNI monitoring change in this release
  • New 'container_runtime_crio_default_runtime' metric exposes which runtime is configured on the node
Source

CRI-O

Kubernetes CoreMay 5, 2026

CRI-O v1.34.8 patches CVE-2026-35469 in the spdystream dependency and adds two operator-facing features: a new runtime metric and configurable GOMAXPROCS injection.

  • securityPatch CVE-2026-35469 — update to v1.34.8 now

    The spdystream library had a vulnerability fixed in this release. spdystream is used for streaming connections (exec, attach, port-forward), so exposure is real in any cluster. Upgrade CRI-O to v1.34.8 on all nodes. No config changes required — the fix is purely a dependency bump.

  • enhancementUse the new runtime metric to audit node configurations

    The `container_runtime_crio_default_runtime` metric lets you confirm — via your existing Prometheus stack — that every node is actually running the runtime you expect (e.g., runc vs. kata-containers). This is particularly useful in mixed-runtime clusters or after node image upgrades where config drift can go undetected. Add an alert for unexpected runtime values once you've upgraded.

  • enhancementEvaluate min_injected_gomaxprocs for CPU-constrained workloads

    If you run containers with very low cpu.request values (e.g., 0.1 cores), Go runtimes default to GOMAXPROCS=1, which can serialize work that should be parallel. Setting `min_injected_gomaxprocs` raises the floor so those containers get a more reasonable thread count. Be cautious on dense nodes: raising GOMAXPROCS across all containers increases goroutine scheduling overhead. Test with a non-Guaranteed workload first and watch CPU throttling metrics before rolling out cluster-wide.

Key changes (4)
  • CVE-2026-35469 fixed by bumping moby/spdystream from v0.5.0 to v0.5.1
  • New `container_runtime_crio_default_runtime` metric exposes which container runtime is configured as default on each node
  • New `min_injected_gomaxprocs` config option sets a floor for GOMAXPROCS injected into every container CRI-O creates
  • GOMAXPROCS injection logic: CRI-O uses max(floor, cpu.request) except for Guaranteed QoS pods or partitioned workloads
Source

CRI-O

Kubernetes CoreMay 5, 2026

v1.33.12 patches CVE-2026-35469 via a spdystream dependency bump and adds a new min_injected_gomaxprocs option for controlling GOMAXPROCS floor in containers.

  • securityPatch CVE-2026-35469 — upgrade now

    The spdystream dependency update addresses CVE-2026-35469. Since spdystream handles HTTP/2 multiplexing in CRI-O's communication paths, any cluster running v1.33.x should move to v1.33.12 promptly. Check your vulnerability scanner results for this CVE and treat this as a routine security patch cycle rather than waiting for your next maintenance window.

  • enhancementUse min_injected_gomaxprocs to prevent CPU underutilization in Go workloads

    Go runtimes default GOMAXPROCS to the number of logical CPUs on the node, which causes goroutine scheduling inefficiency when containers have small cpu.request values. This new option lets you set a floor (e.g., 2 or 4) so containers don't get starved of OS threads. It only applies to Burstable and BestEffort pods — Guaranteed QoS pods and partitioned workloads are unaffected. Start by auditing Go-based workloads in your cluster that run with low cpu.request; set min_injected_gomaxprocs conservatively and monitor goroutine behavior before widening the floor.

Key changes (4)
  • CVE-2026-35469 fixed by updating moby/spdystream from v0.5.0 to v0.5.1
  • New min_injected_gomaxprocs config option sets a GOMAXPROCS floor for all containers CRI-O creates
  • GOMAXPROCS injection logic: CRI-O injects max(floor, cpu.request), but only for non-Guaranteed QoS pods or partitioned workloads
  • Guaranteed QoS pods and partitioned workloads are excluded from the GOMAXPROCS injection behavior
Source

in-toto

SecurityMay 4, 2026

in-toto v3.1.0 migrates away from sslib's hash functions, switches to ruff for code style, and refreshes Debian packaging — mostly maintenance, but the sslib change has dependency implications.

  • breakingAudit your sslib dependency if you use it alongside in-toto

    in-toto has internalized sslib's hash functions because sslib is being deprecated. If your project independently depends on sslib for other functionality, start planning a migration now — don't assume sslib will remain maintained. Check your dependency tree for anything that transitively pulls in sslib and evaluate whether those paths need updating.

  • enhancementUse the new `in-toto-run` return code passthrough in CI pipelines

    Previously, `in-toto-run` would swallow the wrapped command's exit code, which could mask failures in CI. With passthrough now enabled, the return code of the wrapped command propagates correctly. If you have shell scripts or CI steps that check exit codes after `in-toto-run`, verify your error handling still works as intended — behavior has changed and some pipelines may now surface previously hidden failures.

  • enhancementIf you contribute to or package in-toto, update your dev tooling to ruff

    The codebase now enforces ruff-based style rules. If you maintain a fork, downstream package, or contribute PRs, your existing flake8/pylint setup will likely flag false conflicts. Align your local dev environment with ruff before opening PRs against this version or later.

Key changes (5)
  • sslib hash functions ported directly into in-toto due to sslib deprecation — reduces external dependency
  • Code style tooling switched from existing linter to ruff (PEP 8 enforcement updated across codebase)
  • Debian dependencies and build rules refreshed for current packaging compatibility
  • CLI: `in-toto-run` now passes through the wrapped command's return code
  • Documentation updates covering pipeline configuration and general content improvements
Source

Kubescape

SecurityMay 4, 2026

v4.0.6 tackles a wave of false negatives, silent errors, and correctness bugs in scanning — namespace filters, exception matching, and OPA eval failures all get fixes that change scan results.

  • securityAudit vulnerability exception lists for case inconsistencies

    Exception matching for image scan CVE IDs was case-sensitive before this fix, meaning 'ghsa-xxxx' and 'GHSA-xxxx' were treated as different identifiers. Any exceptions defined with lowercase CVE/GHSA IDs were silently not applied. After upgrading, check that your exception lists use consistent casing and re-verify which vulnerabilities are actually being excepted.

  • securityRaw request bodies are no longer logged — review your log retention

    Kubescape's HTTP handler was logging full scan request bodies, which could include sensitive resource manifests or configuration data. That logging is now removed. If you've been collecting these logs, review and rotate any stored log data that may contain manifest content.

  • breakingExpect scan result changes after upgrading — false negatives are now real failures

    Two distinct bugs caused resources to silently disappear from scan results: OPA eval errors were swallowed, and partial GVR collection failures were suppressed. Both are fixed. If your baseline compliance scores looked suspiciously clean, re-run scans after upgrading and treat new failures as real findings that were always there, not regressions introduced by the upgrade.

Key changes (5)
  • OPA eval errors no longer silently drop resources — failures now surface instead of producing false negatives
  • Namespace filter now correctly preserves cluster-scoped resource results when --include-namespaces is set
  • CVE exception matching is now case-insensitive, fixing missed exceptions on lowercase CVE IDs
  • Helm value overrides can now be passed through kubescape scan, and Kustomize directories with Helm dependencies render correctly
  • Raw scan request bodies are no longer logged, and concurrent exception file writes get unique temp files per request
Source

Buildpacks

CI/CD & App DeliveryMay 2, 2026

Buildpacks v0.40.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

wasmCloud

Orchestration & ManagementMay 1, 2026

A maintenance release focused on operator reliability, NATS subscription readiness, and security dependency bumps — no API changes, but a few fixes matter in production.

  • securityUpgrade to pick up wasmtime security bump and new audit pipeline

    wasmtime was bumped and rustls-pemfile was removed as a dependency in this release. cargo audit has also been wired into CI, meaning future vulnerabilities in the dependency tree will be caught earlier. If you're running 2.0.5 or earlier, upgrade now — there's no reason to stay on an older wasmtime in a Wasm runtime.

  • breakingOperator readiness behavior changed — review your health checks and rollout strategies

    WorkloadDeployment Ready status is now gated on replica availability, not just the existence of a deployment object. If your CI/CD pipelines or monitoring systems check for the Ready condition to gate traffic or proceed with rollouts, they'll now see a more accurate (and potentially longer) 'not ready' window. Verify your rollout wait conditions and alerting thresholds won't false-alarm during normal startup.

  • enhancementNATS subscription readiness fix — relevant if you've seen premature ready signals

    The fix for NATS subscription workload readiness means the host now correctly waits before reporting ready. If you've dealt with race conditions at startup where components tried to subscribe before NATS connections were fully established, this should resolve those. No config changes needed — just upgrade and validate your startup sequence behaves as expected.

Key changes (5)
  • HTTP routing now returns typed RouteError with accurate HTTP status codes instead of generic errors
  • Operator WorkloadDeployment readiness is now gated on actual replica availability, not just deployment creation
  • Fixed workload readiness detection for NATS subscriptions — previously could report ready prematurely
  • wasmtime bumped, rustls-pemfile dropped, and cargo audit added to the CI pipeline for ongoing vulnerability scanning
  • async-nats upgraded to 0.47 and Go runtime upgraded to 1.26
Source

etcd

Kubernetes CoreMay 1, 2026

etcd v3.6.11 is a patch release. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the upgrade guide before patching

    The release explicitly warns of potential breaking changes in the 3.6 upgrade path. Don't treat this as a routine patch drop — pull the CHANGELOG-3.6.md and the upgrade guide, diff against your current version, and validate in a non-prod cluster first.

  • enhancementVerify container registry source in your pipelines

    etcd's primary registry is gcr.io, not Docker Hub or quay.io. If your CI/CD or Kubernetes manifests still pin quay.io/coreos/etcd, you're on the secondary mirror which may lag. Update image references to gcr.io/etcd-development/etcd to stay on the canonical source.

Key changes (4)
  • No inline changelog provided; full details live in CHANGELOG-3.6.md
  • Upgrade guide should be reviewed before applying — breaking changes may exist in the 3.6 series
  • Primary container image served from gcr.io/etcd-development/etcd, with quay.io/coreos/etcd as fallback
  • Supported platform matrix updated — verify your OS/arch combo before deploying
Source

etcd

Kubernetes CoreMay 1, 2026

etcd v3.5.30 is a maintenance release in the 3.5 series. No release notes were published beyond pointers to the full changelog — check the CHANGELOG-3.5.md directly for specifics.

  • breakingRead the full CHANGELOG before upgrading

    The release announcement is intentionally sparse — it just points to CHANGELOG-3.5.md. Before upgrading any etcd cluster, pull up that changelog directly and review every entry since your current version. etcd upgrades in production clusters carry real risk; skipping the changelog review is how you get surprised by behavior changes or data format shifts.

  • enhancementStick to gcr.io as your primary image source

    The release explicitly lists gcr.io/etcd-development/etcd as primary and quay.io/coreos/etcd as secondary. If your deployment pipelines or air-gapped mirrors are still defaulting to quay.io, consider updating them to match the project's own priority — gcr.io tends to get images published first.

Key changes (4)
  • No detailed release notes provided in this release announcement
  • Full change list available in CHANGELOG-3.5.md on the etcd GitHub repository
  • Upgrade guide should be reviewed before upgrading, as breaking changes may be present
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
Source

etcd

Kubernetes CoreMay 1, 2026

etcd v3.4.44 is a maintenance release on the 3.4 branch. Release notes are sparse — check the full CHANGELOG for the actual fix list before upgrading.

  • breakingReview CHANGELOG before upgrading — release notes are empty

    The published release notes contain no change summary. Before upgrading any production cluster, pull up CHANGELOG-3.4.md directly and diff against your current version. Skipping this step on a Kubernetes control plane means you could hit an undocumented behavioral change mid-upgrade.

  • enhancementStill on 3.4? Evaluate migration to 3.5

    3.4.x receives only critical fixes at this point. If you're running etcd as a Kubernetes backing store, now is a good time to plan a move to 3.5, which has a longer active support runway. Check Kubernetes version compatibility before scheduling the upgrade.

Key changes (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md, not summarized in release notes
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before applying, as breaking changes may be present
Source

Linkerd

Networking & MessagingMay 1, 2026

A routine edge release dominated by dependency bumps, with two meaningful bug fixes: multicluster service cleanup now respects namespaces, and a CLI gateway API version correction.

  • securityRust TLS stack updated — aws-lc-rs, rustls-webpki, rustls-pki-types all bumped

    Several TLS-adjacent crates were updated in one shot: aws-lc-rs 1.16.3, rustls-webpki 0.103.13, and rustls-pki-types 1.14.1. No CVEs are called out explicitly, but these are the cryptographic underpinnings of Linkerd's mTLS. If you're in a security-sensitive environment, this is a good reason to pull this edge over older ones.

  • breakingKubernetes 1.31 is now the minimum supported version

    The MSKV bump to 1.31 means clusters running 1.30 or older are no longer in the supported envelope. Check your cluster versions before adopting this edge release — if you're still on 1.30, upgrade Kubernetes first or hold on this Linkerd edge.

  • enhancementFix multicluster namespace-scoped service cleanup before upgrading

    If you run Linkerd multicluster and have services spread across multiple namespaces, the previous cleanup logic could operate beyond its intended namespace scope. This fix is a correctness improvement — after upgrading, verify your mirrored services are in the expected state, especially if you've seen unexpected service deletions or stale mirrors in non-default namespaces.

Key changes (6)
  • Multicluster service cleanup logic now correctly scopes to namespaces, preventing cross-namespace service deletion bugs
  • CLI user instructions now reference the correct Gateway API version
  • New Helm value `gateway.healthCheckNodePort` added for gateway deployments
  • Destination controller refactored to use shared-filtering logic
  • Minimum supported Kubernetes version (MSKV) bumped to 1.31
  • Multiple Rust dependency updates: hyper 1.9.0, tokio 1.52.1, aws-lc-rs 1.16.3, rustls-webpki 0.103.13
Source

containerd

Kubernetes CoreApr 30, 2026

containerd 2.3.0 is the first LTS release under the new Kubernetes-aligned 4-month cadence, offering 2+ years of support with major NRI, EROFS, and observability improvements.

  • breakingRename NRI plugins with commas in their names before upgrading

    The new OCI hook owner accumulation logic uses commas as delimiters internally, so any NRI plugin whose name contains a comma will break. Audit your NRI plugin names now. If any contain commas, rename them before rolling out 2.3.0 — this affects both the plugin binary name and any configuration referencing it.

  • enhancementPlan your 1.7 → 2.3 LTS migration now

    This is the designated upgrade target from containerd 1.7 LTS. The project explicitly tests and supports direct sequential LTS-to-LTS upgrades. If you're still on 1.7, this is the right time to build a migration plan — 2.3 gets at least two years of support, making it the stable foundation for Kubernetes clusters through roughly 2027.

  • enhancementEnable trace propagation for better plugin and runtime observability

    OTel traces now flow through gRPC RPCs between containerd and its plugins, and trace IDs can be injected into log lines. If you run a distributed tracing stack (Jaeger, Tempo, etc.), configure the OTLP exporter in containerd's config and enable trace ID injection in logging. This closes a major gap where container lifecycle events were invisible to your tracing backend.

Key changes (5)
  • First LTS release in the 2.x line — direct upgrade path from 1.7 LTS is tested and supported
  • NRI gets massive capability expansion: user/group IDs, seccomp policy, rlimits, sysctls, network devices, Intel RDT, and kernel scheduling policy now all passable to plugins
  • EROFS support matures with zstd-wrapped layers, dmverity integration, and native container image media types
  • OpenTelemetry traces now propagate through outgoing gRPC RPCs from plugin clients, with trace ID injection into logs
  • NRI breaking change: commas are no longer allowed in plugin names due to OCI hook owner accumulation logic
Source

OpenFeature

CI/CD & App DeliveryApr 30, 2026

flagd core v0.15.5 fixes evaluation correctness bugs in fractional rollouts and JSONLogic and/or operators — teams relying on complex flag targeting rules should upgrade.

  • securityDependency security alerts resolved

    Dependabot security alerts were resolved in this release. No CVEs are called out explicitly, but the dependency updates address known vulnerabilities in transitive deps. Upgrade if you're running flagd in a security-sensitive environment.

  • breakingFractional evaluator fix: upgrade if you use targeting keys

    Null or missing targeting keys in fractional evaluators previously caused undefined behavior. If your flag rules use fractional/percentage rollouts and some users may lack a targeting key (e.g. anonymous users), upgrade to avoid incorrect bucket assignments.

  • breakingJSONLogic and/or bug fix may change evaluation results

    The jsonlogic and/or operator bug could cause flag rules with compound boolean logic to evaluate incorrectly. Review any rules relying on and/or conditions after upgrading — results may change from what you saw in v0.15.4.

Key changes (5)
  • Fractional evaluator now handles missing or null targeting keys without crashing or misbehaving
  • JSONLogic and/or operator bug fixed — compound boolean flag rules evaluate correctly now
  • Custom operator conformance fixes improve spec compliance
  • OTel service name and version can now be overridden correctly
  • Dependabot security alert dependencies updated
Source

OpenFeature

CI/CD & App DeliveryApr 30, 2026

OpenFeature flagd-proxy/v0.9.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

OpenFeature

CI/CD & App DeliveryApr 30, 2026

OpenFeature flagd/v0.15.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Argo

CI/CD & App DeliveryApr 30, 2026

v3.3.9 is a focused patch addressing four bugs — including a panic in ApplicationSet DuckType Generator and a UI crash in pod logs — plus a Go version bump to resolve CVEs.

  • securityUpgrade to patch Go-level CVEs

    The Go runtime was bumped specifically to resolve CVEs. The release notes don't enumerate the exact CVE IDs, but if you're running 3.3.x in production, upgrade to 3.3.9 now rather than waiting for your next maintenance window. All container images are cosign-signed and SLSA Level 3 provenance is available — verify signatures before deploying if your pipeline requires it.

  • breakingApplicationSet DuckType Generator panic is now fixed — review affected ApplicationSets

    If you use DuckType Generators and have clusters with non-string label values, previous versions would silently panic. After upgrading, those ApplicationSets will now process correctly rather than crashing. Do a quick audit of your ApplicationSet resources post-upgrade to confirm they're reconciling as expected — you may see previously-failing sets suddenly become active.

  • enhancementOCI metadata caching restored — expect reduced registry pressure

    The Redis cache for OCI metadata was broken, meaning every OCI source lookup was hitting the registry directly. With this fix, caching works again. If you use OCI-sourced ApplicationSets or Helm charts, you should see reduced latency and fewer registry requests after upgrading. No configuration change needed.

Key changes (5)
  • Fixed panic in ApplicationSet DuckType Generator when encountering non-string values in cluster labels
  • Fixed pod logs viewer UI crash caused by stale container index references
  • Fixed double-delete error on the server side to prevent spurious errors during cleanup operations
  • Fixed OCI metadata put/get to/from Redis cache, restoring proper caching behavior
  • Bumped Go version to patch CVEs in the Go standard library
Source

Argo

CI/CD & App DeliveryApr 30, 2026

Argo CD v3.2.11 is a patch release fixing three UI/server bugs — a double-delete error, a 401 stream crash, and a pod logs viewer crash on stale container indices.

  • enhancementApply this patch if your team uses the pod logs viewer or streaming UI features

    Two of the three fixes target UI stability — the pod logs crash on stale container indices and the 401 stream error. Both are silent killers in day-to-day operations: engineers open the logs viewer during an incident and hit a blank screen or crash. Drop this patch into your next maintenance window. No config changes needed.

  • enhancementDouble-delete server error is fixed — relevant if you use automated cleanup workflows

    If your pipelines or operators trigger multiple delete attempts on the same Argo CD resource (common in GitOps reconciliation loops or scripted teardowns), the server previously returned an error on the second attempt. This is now handled gracefully. No action required beyond upgrading.

Key changes (5)
  • Fixed server error when a second delete operation is attempted on the same resource
  • Fixed UI crash when a 401 unauthorized error occurs in a streaming connection
  • Fixed pod logs viewer crash caused by stale container index references
  • Bumped SonarQube scan action dependency from 5.3.1 to 8.0.0
  • All container images remain cosign-signed with SLSA Level 3 provenance
Source

Open Policy Agent (OPA)

SecurityApr 30, 2026

v1.16.0 brings new URI builtins, Data API metadata support, OTLP metrics export, and critical fixes for log dropping and log buffer eviction bugs introduced in v1.15.x.

  • securityunits.parse_bytes exponent cap prevents timeout bypass

    Extremely large exponent values in units.parse_bytes could be used to cause evaluation timeouts, potentially bypassing policy enforcement. This is fixed in v1.16.0 by capping the exponent size. If your policies accept user-controlled input that gets passed to units.parse_bytes, this fix is directly relevant — upgrade and review any policies that parse byte strings from untrusted sources.

  • breakingUpgrade from v1.15.x immediately — logs are silently dropped

    A BufferedLogger bug in v1.15.x caused bundle download logs, print() debug output, and plugin logs to be dropped after the first flush. This is silent data loss in your observability stack. If you're running v1.15.x in any environment where decision logs or debug output matter, upgrade to v1.16.0 now. Check your log pipeline for gaps if you've been running v1.15.x in production.

  • enhancementUse new uri.parse / uri.is_valid builtins to replace fragile regex-based URL validation

    Many OPA policies today use regex or string manipulation to validate or decompose URLs — a brittle approach. The new uri.parse builtin returns structured RFC 3986 components (scheme, host, path, query, etc.), and uri.is_valid does a clean true/false structural check. If you have policies handling redirect URIs, webhook URLs, or any URL-bearing input, replace your custom parsing logic with these builtins. The structured output makes it easier to write precise, readable rules.

Key changes (5)
  • New uri.parse and uri.is_valid builtins for RFC 3986-compliant URI handling in policy
  • Data API now supports request/response metadata for wrapping projects — custom fields logged under decision log Custom['request_metadata']
  • Prometheus metrics can now be exported via OTLP, unifying observability pipelines
  • Critical fix: v1.15.x dropped logs for bundle downloads, print() calls, and plugin-originated logs — upgrade immediately if on v1.15.x
  • units.parse_bytes exponent size now capped to prevent potential timeout bypass (security hardening)
Source

NATS

Networking & MessagingApr 30, 2026

NATS v2.14.0 (skipping 2.13.x) brings JetStream scheduling, fast-ingest batch publishing, consumer reset API, and critical Raft data-loss fixes. Review the upgrade guide before deploying.

  • breakingRead the 2.14 Upgrade Guide — 2.13.x was skipped

    This release jumps from 2.12.x to 2.14.x. The upgrade guide covers backwards compatibility breaks you must address. If you use ACLs on JetStream ACK or flow control subjects, the new domain-aware format ($JS.ACK.domain.acchash.stream.consumer.>) is disabled by default now but becomes the default in v2.15 — start updating your ACL rules now so the v2.15 upgrade isn't a fire drill.

  • breakingRaft startup now fails on corrupt/missing snapshots — test your recovery procedures

    Previously, a node with a corrupt or misaligned snapshot might start silently with bad state. Now it refuses to start. This is the right behavior, but if you have any clusters with questionable disk health or have experienced unclean shutdowns, validate your snapshot integrity before rolling this upgrade out. Ensure your ops runbook covers the recovery path for this scenario.

  • enhancementConsumer Reset API removes a painful operational pattern

    Rewinding a consumer previously meant deleting and recreating it — disruptive and error-prone. The new $JS.API.CONSUMER.RESET API lets you move a consumer back to an earlier sequence in place. If you maintain any tooling or runbooks that handle consumer rewind or replay scenarios, update them to use this API. It's also useful for incident recovery workflows.

Key changes (5)
  • Fast-ingest batch publishing for high-throughput JetStream workloads (ADR-50)
  • Repeating/cron-based message schedules via Nats-Schedule header (ADR-51)
  • Consumer reset API — rewind a consumer without delete/recreate
  • Domain-aware ACK/FC subjects (js_ack_fc_v2 flag, becomes default in v2.15)
  • Raft nodes no longer start on missing/corrupt snapshots, preventing silent data loss
Source

Vitess

Storage & DataApr 30, 2026

Vitess v24 ships structured JSON logging by default, window function pushdown for sharded keyspaces, OpenTelemetry tracing, and a security fix for backup manifest command injection. 460 PRs merged.

  • securityBackup MANIFEST command injection is now blocked by default

    Prior to v24, an attacker with write access to backup storage could modify the MANIFEST file to inject arbitrary shell commands that VTTablet would execute during restore. This is now blocked — the MANIFEST decompressor field is ignored unless you explicitly pass --external-decompressor-use-manifest. If you're on v23 or earlier, treat backup storage access controls as a security boundary and audit who can write to it.

  • breakingAudit backup restore configs for MANIFEST decompressor

    If your VTTablet restore process relied on the decompressor command stored in backup MANIFESTs (i.e., you never set --external-decompressor but backups still decompressed), restores will silently skip decompression in v24 and likely fail. Add --external-decompressor-use-manifest to your VTTablet config to preserve old behavior, but read the security advisory first: a compromised backup store could execute arbitrary commands on your tablet. Evaluate whether you actually need this or can pass --external-decompressor explicitly instead.

  • breakingRemove deprecated VTOrc API endpoint and metric references

    The /api/replication-analysis endpoint returns 404 in v24 — any monitoring scripts, Grafana dashboards, or alerting rules hitting that URL will break silently or with errors. Switch to /api/detection-analysis (same params, same response format). Also replace DiscoverInstanceTimings with DiscoveryInstanceTimings in dashboards. Do this before deploying v24 to production.

  • enhancementMigrate tracing to OpenTelemetry now, not in v25

    opentracing-jaeger and opentracing-datadog are deprecated in v24 and will be removed in v25. The migration is straightforward: replace --tracer opentracing-jaeger with --tracer opentelemetry, and swap --jaeger-agent-host host:port for --otel-endpoint host:4317. Jaeger v1.35+ accepts OTLP on port 4317 by default. Datadog users should point to the Agent's OTLP ingestion endpoint. Do this upgrade cycle, not the next one.

  • enhancementAdd --cell flag to VTOrc now

    --cell is optional in v24 but becomes required in v25. Multi-cell deployments especially should add it now — startup validation against the topology will catch misconfiguration early, and it unblocks future cross-cell recovery logic in VTOrc. One flag, no downtime, avoids a forced change next release.

Key changes (6)
  • Structured JSON logging is now the default (--log-format=text for human-readable; glog deprecated, removed in v25)
  • Window functions can now push down to shards when PARTITION BY matches a unique vindex — no more forced single-shard routing
  • External decompressor command from backup MANIFEST is ignored by default (security fix); opt-in required via --external-decompressor-use-manifest
  • OpenTracing backends (jaeger, datadog) deprecated; migrate to --tracer opentelemetry before v25
  • VTOrc /api/replication-analysis endpoint and DiscoverInstanceTimings metric removed — update dashboards and scripts now
  • --grpc-send-session-in-streaming flag removed from VTGate; session is always sent in streaming responses
Source

Karmada

Orchestration & ManagementApr 30, 2026

Karmada v1.17.2 is a patch release fixing scheduler misrouting bugs, operator reconciliation failures, and a Job replica assignment error — plus an Alpine base image bump for security.

  • securityRebuild or pull updated images to get the Alpine 3.23.4 base

    The base image was bumped from Alpine 3.23.3 to 3.23.4. If you're running air-gapped or mirrored image setups, make sure to pull and mirror the new v1.17.2 images. Check Alpine's changelog for the specific CVEs addressed if your compliance process requires it.

  • breakingScheduler backoffQ misrouting may have masked real scheduling failures

    Bindings with insufficient cluster replicas were incorrectly queued in backoffQ instead of unschedulableBindings. This means your scheduler may have been retrying workloads on an exponential backoff schedule rather than surfacing them as unschedulable. After upgrading, expect some previously silent failures to become visible in unschedulableBindings — review any workloads that seemed stuck or slow to schedule.

  • enhancementUpgrade if you use karmada-operator with custom tolerations/affinity or multi-cluster Jobs

    Two high-impact fixes landed here: operator-managed deployments were silently ignoring tolerations and affinity configs, which could cause pods to land on unintended nodes. And Job completion counts were being assigned incorrectly across clusters, which could corrupt Job semantics in distributed workloads. Both are straightforward regressions worth patching immediately if either feature is in use.

Key changes (6)
  • karmada-operator now correctly applies tolerations and affinity settings to karmada-aggregated-apiserver and karmada-search deployments
  • Fixed non-idempotent secret creation that caused operator init reconciliation failures on repeated runs
  • Scheduler no longer misroutes bindings with insufficient replicas to backoffQ — they now correctly land in unschedulableBindings
  • Schedule success events with ClusterAffinities now include proper cluster information
  • Job completions are now distributed correctly across clusters instead of being assigned to wrong replicas
  • Base Alpine image bumped from 3.23.3 to 3.23.4 to address security concerns
Source

Karmada

Orchestration & ManagementApr 30, 2026

Karmada v1.16.5 is a focused patch release fixing scheduler queue misrouting, Job replica assignment errors, and operator reconciliation failures, plus an Alpine base image bump.

  • securityAlpine 3.23.4 base image — rebuild and redeploy your Karmada components

    The Alpine bump from 3.23.3 to 3.23.4 addresses upstream security concerns. If you're running custom-built Karmada images or have image scanning in your pipeline, update your base images accordingly. The official images in this release already include the updated base.

  • breakingScheduler queue misrouting causes stalled workloads — patch immediately

    The backoffQ vs unschedulableBindings misrouting bug means workloads with insufficient cluster replicas may have been stuck in the wrong queue, causing unexpected scheduling delays or failures. If you've seen bindings that appear perpetually pending despite enough cluster capacity becoming available, this fix directly addresses that. Upgrade to v1.16.5 and check for any bindings that are stuck — they should reschedule automatically after the upgrade.

  • breakingJob completions were assigned to wrong clusters — review existing Job distributions

    The Job completion replica assignment bug could have led to incorrect work distribution across member clusters. Jobs that ran on this version may have had skewed completion counts per cluster. After upgrading, inspect any multi-cluster Jobs that were scheduled on v1.16.4 to verify their completion semantics were not affected in production.

Key changes (5)
  • karmada-operator: Secret creation made idempotent, fixing init reconciliation failures on retry
  • karmada-scheduler: Bindings with insufficient cluster replicas now correctly land in unschedulableBindings queue instead of backoffQ
  • karmada-scheduler: Schedule success events now include cluster info when using ClusterAffinities
  • Job completions now assigned correctly per cluster instead of being misrouted across replicas
  • Base image updated from alpine:3.23.3 to alpine:3.23.4 for security fixes
Source

Karmada

Orchestration & ManagementApr 30, 2026

Karmada v1.15.8 is a targeted bug-fix patch addressing scheduler queue misrouting, missing cluster info in events, and an operator reconciliation failure. Alpine base image bumped for security.

  • securityRebuild and redeploy to pick up alpine:3.23.4 patches

    The alpine base image bump from 3.23.3 to 3.23.4 addresses unspecified security concerns. If you're running custom Karmada images built from the upstream base, rebuild against the new base. If you're using official images, pulling v1.15.8 is sufficient.

  • breakingScheduler queue misrouting can cause workloads to be stuck — patch immediately

    The backoffQ bug is particularly dangerous in production: when a binding hits insufficient replicas, it gets retried with exponential backoff instead of being placed in unschedulableBindings where it belongs. This means your workloads silently wait longer than expected before rescheduling. If you're running ClusterAffinities with replica constraints, upgrade to v1.15.8 — don't wait on this one.

  • enhancementOperator idempotency fix prevents init reconciliation crashes on restarts

    The non-idempotent secret creation in karmada-operator meant that if the operator restarted mid-initialization, reconciliation would fail. This is now fixed with an idempotent approach. If you've been seeing operator init failures after pod restarts or rolling updates, this patch resolves the root cause.

Key changes (4)
  • karmada-operator: Fixed non-idempotent secret creation that caused init reconciliation failures on retry
  • karmada-scheduler: Schedule success events now include cluster information when using ClusterAffinities
  • karmada-scheduler: Bindings with insufficient cluster replicas now correctly land in unschedulableBindings queue instead of backoffQ
  • Base image updated from alpine:3.23.3 to alpine:3.23.4 to address security concerns
Source

containerd

Kubernetes CoreApr 30, 2026

containerd API v1.11.0 ships a new shim bootstrap protocol, container filesystem copy transfer types, and sandbox spec field support — aligning with the containerd 2.3 runtime release.

  • securitygRPC updated from v1.59.0 to v1.79.3 — multiple CVE fixes included

    A 20-minor-version jump in gRPC covers a significant span of security and stability fixes. If your environment pins or vendors gRPC separately, reconcile your dependency tree against v1.79.3. The golang.org/x/* packages also moved forward across the board, so a full dependency audit is warranted before deploying this API version in production.

  • breakingSandbox API: Container field removed, update any sandbox metadata consumers

    The Container field has been dropped from sandbox metadata and replaced with a spec field. If you have tooling, controllers, or custom runtimes that read or write sandbox metadata directly, audit them now. This is an API-level change — anything compiled against the old proto definitions will break at runtime when targeting containerd 2.3.

  • breakingShim bootstrap protocol is now protobuf — custom shim implementations need updating

    The new shim bootstrap protocol switches from JSON to protobuf and uses enums instead of strings for capabilities and log levels. If you maintain a custom shim or vendor the containerd API, you must update your bootstrap handling before deploying containerd 2.3. Third-party shims (e.g., kata-containers, nydus) likely need corresponding releases — check their compatibility before upgrading.

Key changes (6)
  • New shim bootstrap protocol introduced: uses protobuf (not JSON), enums for capabilities/log levels, and includes containerd version at shim launch
  • Shim socket directory now uses the configured state directory instead of a hardcoded path
  • Transfer API gains new types for container filesystem copy operations
  • Sandbox API updated: Container field removed, spec field added to sandbox metadata
  • EROFS native container image support extended with os.features field in platform proto
  • gRPC dependency jumped from v1.59.0 to v1.79.3; protobuf toolchain migrated from protobuild to buf
Source

Backstage

CI/CD & App DeliveryApr 29, 2026

Backstage v1.50.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

KServe

AI & MLApr 29, 2026

KServe v0.18.0 is a large release dominated by LLMInferenceService (llmisvc) maturation, two CVE fixes, and multi-node inference groundwork—teams running LLM workloads should review carefully before upgrading.

  • securityApply immediately: three CVE fixes in this release

    CVE-2026-32597 (PyJWT critical header bypass), CVE-2026-33186 (gRPC authorization bypass), and CVE-2026-30922 (pyasn1 DoS) are all patched here. If you're running KServe with gRPC inference endpoints or Python-based runtimes exposed externally, these are not optional. Upgrade to v0.18.0 or apply the patches to your current version. The gRPC bypass in particular could allow unauthenticated requests to reach protected inference endpoints.

  • breakingPYTHONPATH is now blocked in webhooks—audit your ServingRuntimes

    A new webhook validation blocks PYTHONPATH from being set in InferenceService or ServingRuntime specs. If any of your custom ServingRuntimes or ISVCs set PYTHONPATH (a common pattern for custom Python module paths), they will be rejected at admission after this upgrade. Audit all your ServingRuntime and ISVC manifests before upgrading and remove or replace PYTHONPATH usage.

  • breakingHelm chart renamed to 'kserve-resources'—update your Helm releases

    The KServe Helm chart name changed from 'kserve' to 'kserve-resources'. If you manage KServe via Helm, a naive upgrade will not find the old release name. Plan a migration: either rename the existing Helm release or uninstall/reinstall. CI pipelines, GitOps configs, and any tooling referencing the chart name need updating before you run the upgrade.

  • enhancementLLMInferenceService autoscaling is production-ready—evaluate for LLM workloads

    v0.18.0 ships KEDA/HPA and WVA-based autoscaling for LLMInferenceService, plus LWS as an autoscaling target for multi-node workloads. If you're running vLLM-backed inference at scale and hitting manual scaling pain, now is a good time to test llmisvc autoscaling in staging. The WVA dependency was bumped to v0.6.0-rc3, so treat it as near-stable but not fully GA.

Key changes (5)
  • Two CVEs patched: PyJWT critical-header validation (CVE-2026-32597), gRPC authorization bypass (CVE-2026-33186), and pyasn1 DoS (CVE-2026-30922)—security fixes affect Python serving runtimes and gRPC paths
  • LLMInferenceService gains autoscaling via KEDA/HPA/WVA, LWS multi-node autoscaling target, TLS support, storage migration, and InferencePool readiness evaluation
  • PYTHONPATH env var is now blocked in ISVC and ServingRuntime webhooks—any serving runtime injecting PYTHONPATH will fail admission
  • Namespace-scoped ModelCache added, with download jobs running in the job namespace
  • Helm chart renamed from 'kserve' to 'kserve-resources'; vLLM bumped to 0.19.0, MLServer to 1.7.1
Source

Kyverno

SecurityApr 29, 2026

Kyverno 1.18 hardens HTTP context security with blocklist enforcement and scoped tokens, fixes multiple image verification bugs including a silent bypass, and expands CLI policy testing coverage.

  • securityAudit HTTP context policies before upgrading — blocklist is now enforced

    Any policy using HTTP context loading will now be subject to a configurable blocklist. Calls that previously succeeded might be blocked after upgrade. Before rolling out 1.18, inventory all policies with HTTP context entries, verify their target URLs are not on the default blocklist, and configure FLAG_HTTP_BLOCKLIST overrides where needed. Also check that scoped token authorization doesn't break policies relying on broader token access. Test in a non-production cluster first.

  • securityImage verification silent bypass is patched — verify your policies are actually enforcing

    A bug in processResourceWithPatches caused it to return nil on patch failure, which silently skipped image verification. If you've been running image verification policies and assumed they were enforcing, run a retroactive compliance scan after upgrading to confirm enforcement was working as expected. Also check the CVE fixes: CVE-2026-32280 (intermediate cert limiting) and CVE-2026-32283 (Go toolchain upgrade) are included in this release and warrant upgrading promptly.

  • enhancementUse successEventActions to reduce event spam in large clusters

    High-traffic clusters with broad Kyverno policies generate enormous volumes of success events, which can overwhelm etcd and make event streams useless. The new successEventActions ConfigMap parameter lets you filter exactly which success events get emitted. Add this to your Kyverno ConfigMap after upgrading and tune it based on which policy actions actually need visibility. Pairs well with the existing omitEvents setting — watch out for the new warning if you configure conflicting values.

Key changes (5)
  • HTTP context calls now enforce a configurable blocklist and use scoped tokens — policies making external HTTP calls need review against new security constraints
  • imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets, removing a long-standing limitation for multi-tenant image verification setups
  • Silent image verification bypass fixed: processResourceWithPatches was returning nil on patch failure, allowing images to slip through unverified
  • successEventActions ConfigMap parameter lets you filter which success events Kyverno emits, useful for high-volume clusters drowning in event noise
  • CLI now supports cleanup policies, HTTP/Envoy authz policies, and mutateExisting in kyverno apply and kyverno test — CI pipelines can finally test these policy types offline
Source
← NewerOlder →