RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: KnativeClear ×

Knative

Orchestration & ManagementJun 2, 2026

Knative Serving v1.22.1 is a focused patch fixing an idle connection leak in the network prober, a memory leak in webhook matchers, and adding a 3MiB webhook request body size limit.

  • securityApply the 3MiB webhook body limit immediately

    The new hard cap on webhook request body size closes a potential vector for memory exhaustion via oversized payloads. If you run Knative Serving in a multi-tenant or externally-exposed environment, upgrade to v1.22.1 now — don't wait for your next maintenance window.

  • breakingWebhook requests larger than 3MiB will now be rejected

    If any of your workloads submit unusually large objects to Knative's admission webhooks (e.g., Services or Configurations with very large env var blocks or annotations), those requests will start failing after this upgrade. Audit object sizes before rolling out, and trim any oversized metadata or spec fields.

  • enhancementUpgrade to stop slow memory and connection accumulation

    The prober connection leak and the expired-matcher memory leak are both cumulative — they degrade pod health gradually over time rather than causing immediate crashes. Clusters that have been running v1.22.0 for a while may already be affected. After upgrading, watch activator and webhook pod memory trends to confirm they stabilize.

Key changes (3)
  • Fixed idle connection leak in the networking prober component
  • Fixed memory leak caused by expired matchers in knative/pkg
  • Webhook request body size is now capped at 3MiB to prevent unbounded memory consumption
Source

Knative

Orchestration & ManagementMar 24, 2026

Knative v1.21.2 is a small patch release with one TLS improvement and a heads-up that secure-pod-defaults will flip to AllowRootBounded in v1.22.

  • breakingAudit root-dependent workloads before v1.22 ships

    The AllowRootBounded secure-pod-defaults setting is coming as the new default in v1.22. If any of your Knative Services run containers that require root (e.g., legacy apps, certain base images), they will break after that upgrade. Right now, while you're on v1.21, test those workloads with AllowRootBounded explicitly enabled. If they fail, set secure-pod-defaults to 'disabled' in your config-features ConfigMap before upgrading to v1.22 — don't wait until upgrade day.

  • enhancementConfigurable TLS via knative.dev/pkg/network/tls

    The shift to the shared knative.dev/pkg/network/tls library gives operators more control over TLS settings in Serving. If you manage custom TLS configurations or have internal PKI requirements, review whether this change aligns your TLS behavior with expectations — particularly in environments where cipher suites or minimum TLS versions are enforced by policy.

Key changes (3)
  • TLS configuration now uses knative.dev/pkg/network/tls for more flexible, configurable TLS behavior in Serving
  • secure-pod-defaults remains disabled by default in v1.21, but AllowRootBounded will become the default in v1.22
  • AllowRootBounded improves security posture while maintaining compatibility with most (but not all) images that expect root access
Source

Knative

Orchestration & ManagementFeb 24, 2026

Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

Key changes (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
Source