RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: RookClear ×

Rook

Storage & DataYesterdayJul 7, 2026

Rook v1.20.2 is a routine patch that tightens mgr network policy to ingress-only and bumps Ceph to v20.2.2 and ceph-csi-operator to v1.0.4, alongside several bug fixes and minor enhancements. No CVEs or breaking API changes are included.

  • securitymgr NetworkPolicy tightened to ingress-only

    The mgr NetworkPolicy is now restricted to ingress-only traffic. If you have custom NetworkPolicy rules that rely on mgr egress paths being open by default, review and adjust your network policies after upgrading to v1.20.2.

  • enhancementCeph bumped to v20.2.2, ceph-csi-operator to v1.0.4

    The default Ceph image is updated to v20.2.2 and ceph-csi-operator to v1.0.4. Test these versions in staging if your deployment pins Ceph or CSI operator images explicitly.

Key changes (7)
  • mgr NetworkPolicy restricted to ingress-only, closing previously open egress paths (medium severity)
  • Ceph default version updated to v20.2.2
  • ceph-csi-operator updated to v1.0.4
  • Node watcher now triggers reconciliation on label or annotation changes, improving dynamic node handling
  • VolumeAttachment resources are correctly removed during unmount in external clusters, preventing stale state
  • Mon reschedule floating time reduced for faster failover; node watcher skipped during initial cache sync to suppress spurious reconcile loops at startup
  • Smaller fixes: OSD raw-activate path no longer scans rbd devices incorrectly, config overrides now end with a trailing newline, object store realm access keys generated as URL-safe strings; new API for muting Ceph warnings added
Source

Rook

Storage & DataMay 27, 2026

Rook v1.19.6 is a targeted patch release addressing OSD device class handling, Prometheus metric labeling, and a network-layer dependency vulnerability. Mainly operational refinements for Ceph clusters already in production.

  • securityPatch golang.org/x/net vulnerability

    Rook v1.19.6 bumps golang.org/x/net twice (to fix govulncheck CI failures and address GO-2026-5026). If you run Rook in high-traffic environments or handle untrusted network input, review the golang.org/x/net advisory for the specific vulnerability. Upgrade to 1.19.6 to inherit the patched dependency, but do not delay if your Rook instance exposes networking logic to untrusted sources.

  • enhancementOSD device class detection fixed in raw-mode

    OSD device class handling now works correctly in raw-mode prepare and reconcile operations (#17407). If you use device classes to segregate fast (NVMe) from slow (HDD) storage, verify after upgrading that your OSD topology reflects the correct device classes. Check `ceph osd crush tree` and OSD weight distribution to ensure placement rules work as intended.

  • enhancementCluster label added to Prometheus metrics

    Prometheus scrape metrics now include a `cluster` label from upstream Ceph rules (#17544). If you aggregate Rook metrics across multiple Ceph clusters, this label addition improves metric cardinality and avoids collisions. Update any Prometheus rules, dashboards, or alerts that rely on the old label set; test in non-production first to catch any PromQL query breaks.

Key changes (8)
  • Prometheus rules updated with upstream Ceph changes; cluster label added to all scraped metrics
  • OSD device class now honored in raw-mode prepare and reconcile operations
  • golang.org/x/net patched to fix network-layer vulnerability (GO-2026-5026)
  • Self-signed certificate creation retry logic added for wrapped context deadline errors
  • Node existence checks added to monitor health check iterations
  • Default ResourceRequirements added for cmd-reporter pod
  • Encryption label detection improved for dmcrypt paths
  • DNS policy corrected for rook-ceph-exporter
Source

Rook

Storage & DataMar 24, 2026

Rook v1.18.10 patches several OSD reliability issues, tightens RBAC permissions, and adds minor operational improvements to the Ceph exporter and NFS server.

  • securityAudit your Rook RBAC after upgrading — nodes/proxy grant is gone

    The operator's nodes/proxy RBAC permission has been removed. If any custom tooling or monitoring in your environment relied on Rook's ServiceAccount having that grant, it will break silently after upgrade. Review any pipelines or dashboards that use the Rook operator ServiceAccount before rolling this out to production.

  • breakingEncrypted OSD users should test key rotation after upgrading

    The lockbox key rotation logic for encrypted OSDs was updated. Encrypted OSD clusters should run a non-production upgrade first and explicitly verify key rotation still works end-to-end. The CephX key init fix (no overwrite on failure) also changes behavior during error recovery — test any failure/retry scenarios you have documented.

  • enhancementUse the new CephNFS image fields to pin or customize NFS server images

    The new spec.server.image and spec.server.imagePullPolicy fields let you specify a custom NFS Ganesha image per CephNFS resource. This is useful if you need to pin a specific version for compliance or test a patched image without waiting for a Rook release. Update your CephNFS manifests if you currently work around this with other hacks.

Key changes (5)
  • Orphaned ceph-exporter deployments are now cleaned up automatically during reconcile
  • RBAC: nodes/proxy grants removed from the operator — reduces cluster-wide privilege footprint
  • Encrypted OSD lockbox key rotation logic updated — important for clusters using OSD encryption
  • CephX key init no longer overwrites an existing key on failure — prevents accidental key loss
  • CephNFS gains spec.server.image and spec.server.imagePullPolicy fields for custom NFS images
Source