RATATOSKRATATOSK
ログイン

Kubernetes

v1.33.11Kubernetes Core
2026年4月16日

v1.33.11 is a targeted patch fixing two networking bugs — apiserver startup failures with MultiCIDRServiceAllocator and kube-proxy nftables breakage on nft 1.1.3 — plus a Go 1.25.9 compiler bump.

  • breakingUpgrade now if using MultiCIDRServiceAllocator with large clusters

    If you have MultiCIDRServiceAllocator enabled and a large namespace count, apiserver can fail to start during an upgrade — it was hitting Forbidden errors from admission plugins that weren't ready yet and not retrying. This patch makes that retry happen. If you've been deferring upgrades to 1.33 because of this, you're now unblocked. Check your apiserver logs for 'Forbidden' errors from the IP repair controller as a diagnostic signal.

  • breakingkube-proxy nftables mode is broken on nft 1.1.3 — patch immediately

    Systems running nft 1.1.3 (which ships in some recent distro releases) will have silently broken kube-proxy nftables mode. Traffic may appear to work at first but rule updates won't apply correctly. If your nodes run nft 1.1.3, either pin to an older nft version as a workaround or — better — upgrade to this patch release. Run 'nft --version' on your nodes to check.

  • enhancementOTel dependency jump to v1.41.0 — validate your observability pipeline

    The OpenTelemetry Go SDK went from v1.33.0 to v1.41.0 in this patch, which is a substantial version range. If you're consuming Kubernetes telemetry data or running sidecars that interact with the OTel SDK, verify compatibility with your collectors and backends after upgrading. No functional changes are documented for Kubernetes itself, but the jump is large enough to warrant a smoke test of your tracing and metrics pipelines in a non-prod environment first.

主な変更 (5)

  • Go compiler updated to 1.25.9 (security and runtime improvements baked in)
  • Fixed apiserver startup crash during upgrades when MultiCIDRServiceAllocator is enabled in clusters with many namespaces — the IP repair controller now retries on Forbidden errors from not-yet-ready admission plugins
  • Fixed kube-proxy nftables mode compatibility with nft 1.1.3, which was silently broken
  • OpenTelemetry dependencies bumped from v1.33.0 to v1.41.0 — a large jump for observability consumers
  • knftables library updated from v0.0.17 to v0.0.21, directly tied to the nftables fix