RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: KnativeClear ×

Knative

Orchestration & ManagementJun 2, 2026

Knative Serving v1.22.1 is a focused patch fixing an idle connection leak in the network prober, a memory leak in webhook matchers, and adding a 3MiB webhook request body size limit.

  • securityApply the 3MiB webhook body limit immediately

    The new hard cap on webhook request body size closes a potential vector for memory exhaustion via oversized payloads. If you run Knative Serving in a multi-tenant or externally-exposed environment, upgrade to v1.22.1 now — don't wait for your next maintenance window.

  • breakingWebhook requests larger than 3MiB will now be rejected

    If any of your workloads submit unusually large objects to Knative's admission webhooks (e.g., Services or Configurations with very large env var blocks or annotations), those requests will start failing after this upgrade. Audit object sizes before rolling out, and trim any oversized metadata or spec fields.

  • enhancementUpgrade to stop slow memory and connection accumulation

    The prober connection leak and the expired-matcher memory leak are both cumulative — they degrade pod health gradually over time rather than causing immediate crashes. Clusters that have been running v1.22.0 for a while may already be affected. After upgrading, watch activator and webhook pod memory trends to confirm they stabilize.

Key changes (3)
  • Fixed idle connection leak in the networking prober component
  • Fixed memory leak caused by expired matchers in knative/pkg
  • Webhook request body size is now capped at 3MiB to prevent unbounded memory consumption
Source

Knative

Orchestration & ManagementJun 2, 2026

Knative Serving v1.21.3 is a patch release fixing memory leaks, a connection leak in the network prober, and adding a 3MiB webhook request body size limit.

  • security3MiB webhook body limit now enforced — test before upgrading

    The webhook request body is now hard-limited to 3MiB. If your workloads send large Knative resource specs (e.g., Services with extensive annotations, large env var blocks, or embedded configs), they could start getting rejected after this upgrade. Audit your largest Knative Service manifests before rolling this out to production. Anything approaching or exceeding 3MiB in a single admission request will fail.

  • enhancementPatch memory and connection leaks — upgrade promptly

    Two resource leaks are fixed here: a memory leak in expired matchers and an idle connection leak in the network prober. In long-running clusters with frequent reconciliation or active health-checking, these leaks accumulate. If you've noticed gradual memory growth in the Knative controller or networking components, this patch is the likely fix. No config changes needed — just upgrade.

Key changes (5)
  • Webhook request body size capped at 3MiB to prevent oversized payload abuse
  • Memory leak fixed in expired matchers within knative/pkg
  • Idle connection leak fixed in the networking prober
  • Non-constant format string error corrected in Serving
  • Dependency bumps across knative/pkg, knative/networking, and knative/hack
Source

Knative

Orchestration & ManagementApr 29, 2026

Knative v1.22.0 completes the EndpointSlices migration, consolidates TLS configuration across all components, and adds new autoscaling observability metrics.

  • enhancementScrape the new queue/active request metrics for autoscaling tuning

    kn.revision.request.queued and kn.revision.request.active are now available from queue-proxy. If you're tuning concurrency targets or debugging cold-start behavior, add these to your Prometheus scrape config and dashboards. They give you direct visibility into the queue depth per revision, which was previously only inferable from aggregate metrics.

  • enhancementVerify RBAC if running with minimal cluster permissions

    The ClusterRole now includes endpointslices/restricted permissions to support the EndpointSlices migration. If your cluster uses OPA, Kyverno, or any policy engine that audits ClusterRole changes, review and approve the updated role during upgrade. Missing this permission would break autoscaler stat forwarding.

  • enhancementGraceful WebSocket shutdown reduces in-flight request drops during scale-down

    The queue-proxy now shuts down WebSocket connections gracefully. If your services handle WebSocket traffic, this directly reduces dropped connections during rolling updates or scale-to-zero events. No configuration change needed — the improvement is automatic on upgrade.

Key changes (5)
  • Autoscaler stat forwarder and e2e tests fully migrated to EndpointSlices — Endpoints API usage continues to shrink
  • TLS configuration unified across reconciler, activator, and queue-proxy using knative.dev/pkg/network/tls
  • Two new metrics added: kn.revision.request.queued and kn.revision.request.active for better autoscaling visibility
  • Autoscaler now uses the /scale subresource for replica count updates instead of patching deployments directly
  • Deployment reconciliation optimized — updates only trigger on actual label, annotation, or spec changes
Source

Knative

Orchestration & ManagementMar 24, 2026

Knative v1.21.2 is a small patch release with one TLS improvement and a heads-up that secure-pod-defaults will flip to AllowRootBounded in v1.22.

  • breakingAudit root-dependent workloads before v1.22 ships

    The AllowRootBounded secure-pod-defaults setting is coming as the new default in v1.22. If any of your Knative Services run containers that require root (e.g., legacy apps, certain base images), they will break after that upgrade. Right now, while you're on v1.21, test those workloads with AllowRootBounded explicitly enabled. If they fail, set secure-pod-defaults to 'disabled' in your config-features ConfigMap before upgrading to v1.22 — don't wait until upgrade day.

  • enhancementConfigurable TLS via knative.dev/pkg/network/tls

    The shift to the shared knative.dev/pkg/network/tls library gives operators more control over TLS settings in Serving. If you manage custom TLS configurations or have internal PKI requirements, review whether this change aligns your TLS behavior with expectations — particularly in environments where cipher suites or minimum TLS versions are enforced by policy.

Key changes (3)
  • TLS configuration now uses knative.dev/pkg/network/tls for more flexible, configurable TLS behavior in Serving
  • secure-pod-defaults remains disabled by default in v1.21, but AllowRootBounded will become the default in v1.22
  • AllowRootBounded improves security posture while maintaining compatibility with most (but not all) images that expect root access
Source

Knative

Orchestration & ManagementFeb 24, 2026

Knative knative-v1.20.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

Source

Knative

Orchestration & ManagementFeb 24, 2026

Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

Key changes (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
Source