CRI-O
v1.35.2Kubernetes CoreCRI-O v1.35.2 is a focused bug-fix patch addressing image pull credential verification, metrics reporting gaps, and OCI artifact store contamination issues.
breakingVerify credential provider workflows after upgrading
The PullImage fix changes what gets returned during image pulls. If you use Kubernetes credential provider plugins or have automation that validates image pull behavior, test those flows before rolling this to production. The old behavior could silently bypass credential checks in edge cases.
enhancementAudit your metrics pipelines — you may have been missing data
The metrics bug means any cluster running v1.35.x before this patch was likely returning incomplete metrics when 'all' was set. After upgrading, expect metric cardinality to increase. Check dashboards and alerting thresholds — a spike in metrics volume is expected and correct, not a problem.
enhancementUse additional_artifact_stores for air-gapped or mirrored artifact setups
If you run air-gapped clusters or internal artifact mirrors, the new 'additional_artifact_stores' option lets you configure multiple read-only sources without hacking around existing config. Pair this with the pinned_images fix to ensure pinned artifacts are pulled from the right store consistently.
主な変更 (5)
- PullImage now returns the image ID directly, fixing Kubernetes credential verification compatibility
- Metrics endpoint now returns all metrics when 'all' is configured — previously silently incomplete
- Regular container images can no longer accidentally land in the OCI artifact store
- pinned_images configuration now applies consistently to artifact store images, not just regular containers
- New 'additional_artifact_stores' config option for adding read-only artifact store sources