Flux
v2.8.7CI/CD & App DeliveryFlux v2.8.7 patches a CVE in go-git and fixes a destructive reconciliation bug where non-namespaced resources with ssa:IfNotPresent were being deleted and recreated every cycle.
securityPatch CVE-2026-45022 by upgrading now
go-git v5.19.0 fixes CVE-2026-45022, which affects source-controller and image-automation-controller — two components that actively clone and interact with Git repos. If your Flux installation pulls from any external or semi-trusted Git source, treat this as a priority upgrade. Run 'flux install' or update your Helm release to v2.8.7 immediately.
breakingCheck non-namespaced resources using ssa:IfNotPresent for unintended churn
If you're managing ClusterRoles, CRDs, or other cluster-scoped resources with the kustomize.toolkit.fluxcd.io/ssa: IfNotPresent annotation, those resources were being silently deleted and recreated on every reconciliation loop before this fix. Audit your Kustomization objects and verify resource state after upgrading to confirm the churn has stopped. Any dependent workloads may have experienced disruptions you weren't aware of.
enhancementFollow the v2.7+ upgrade procedure if coming from v2.6
The Flux team has a specific upgrade discussion thread for v2.7+ migrations. Skipping it when jumping from v2.6 to v2.8.7 can cause issues. Review the linked procedure before applying this update in environments running older Flux versions.
主な変更 (4)
- CVE-2026-45022 fixed via go-git v5.19.0 in source-controller and image-automation-controller
- kustomize-controller no longer deletes and recreates non-namespaced resources annotated with ssa:IfNotPresent on every reconciliation
- fluxcd/pkg dependency updates across source-controller, kustomize-controller, and image-automation-controller
- helm-controller v1.5.4, kustomize-controller v1.8.5, source-controller v1.8.4 component bumps