RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Lima

Kubernetes Core2026年7月3日

Lima v2.1.4は、いくつかの不具合修正とnerdctlの更新、CLI・テンプレートの小さな改善をまとめたルーティンパッチです。破壊的変更やセキュリティ修正、非推奨化はありません。

主な変更 (5)
  • 不具合修正: xorrisofsフラグをxorrisofsコマンドにのみ追加するよう修正
  • 不具合修正: macOSでhvfが使えない場合、QEMUがtcgにフォールバックするよう修正
  • 依存関係: nerdctlをv2.3.3からv2.3.4に更新
  • テンプレートを更新、freebsd-15テンプレートが9pマウントに対応
  • 機能改善: limactl network list --jsonの出力にネットワーク名が含まれるように
原文

CRI-O

Kubernetes Core2026年7月2日

CRI-O v1.35.5は2件のバグ修正のみを含むパッチリリースです。再起動をまたいでImageRefが変化する問題と、gomaxprocs hookのCPU算出ロジックの問題が解消されました。破壊的変更・セキュリティ修正・API変更はありません。

主な変更 (2)
  • 再起動後にコンテナステータスのImageRefがrepo@digestからrawイメージIDに変わる不具合を修正
  • gomaxprocs hookがワークロードパーティショニングを無視するよう変更し、要求CPU数の2倍を下限に設定してGoスケジューラのスロットリングを緩和
原文

CRI-O

Kubernetes Core2026年7月2日

CRI-O v1.36.2は、gomaxprocsフックのCPU割り当て計算を修正する通常のパッチリリースです。Goスケジューラがスロットリングされる問題を軽減します。セキュリティ修正や破壊的変更はありません。

主な変更 (2)
  • gomaxprocsフックが、注入判定にワークロードパーティショニングを考慮しなくなった
  • CPU割り当ての計算を見直し、要求CPU数の最低2倍をコンテナに割り当てるよう修正。Goスケジューラのスロットリングを抑制
原文

CRI-O

Kubernetes Core2026年7月2日

CRI-O v1.34.10はバグ修正のみのパッチで、gomaxprocsのCPU注入ロジックの修正と、再起動後のコンテナステータスにおけるImageRef形式のリグレッション修正の2件が含まれます。セキュリティ、API、設定の変更はありません。

主な変更 (3)
  • gomaxprocsフックがCPU設定を注入するかどうかの判断でワークロードパーティショニングを無視するよう変更
  • gomaxprocsの計算が要求CPU数の少なくとも2倍を保証し、Goスケジューラのスロットリングリスクを低減
  • CRI-O再起動後にコンテナステータスのImageRefがrepo@digest形式から生のイメージIDハッシュに変わっていたバグを修正
原文

etcd

Kubernetes Core2026年7月2日

etcd v3.6.13は、--listen-client-http-urlsを設定しているクラスタのgRPCリスナーでCRL検証がバイパスされるHIGH深刻度の脆弱性(GHSA-3wh4-j44w-pg92)を修正するセキュリティパッチです。WebSocketのbearerトークン認証の修正と、v2-deprecationフラグへのオプション追加も含まれます。

  • securitygRPCリスナーのCRL検証バイパス(GHSA-3wh4-j44w-pg92)を修正

    --listen-client-http-urlsを設定しているクラスタでは、gRPCリスナーで証明書失効リスト(CRL)の検証がスキップされており、失効済みのクライアント証明書でも認証が通ってしまいます。v3.6.13へ更新してください。

主な変更 (3)
  • セキュリティ(HIGH): --listen-client-http-urls設定時のgRPCリスナーにおけるCRL検証バイパスを修正(GHSA-3wh4-j44w-pg92)
  • バグ修正: bearer-プレフィックス付きトークンを使うWebSocket認証の誤動作を解消
  • 機能追加: --v2-deprecationフラグにwrite-only-skip-checkオプションを追加し、v2コンテンツチェックを省略可能に
原文

etcd

Kubernetes Core2026年7月2日

etcd v3.5.32は、--listen-client-http-urlsを設定した際にgRPCリスナーでCRLが適用されなかったHIGH深刻度の脆弱性(GHSA-3wh4-j44w-pg92)を修正するセキュリティリリースです。v2-deprecationのバイパスオプション追加やいくつかのバグ修正も含まれます。

  • securitygRPCリスナーのCRL適用バイパス(GHSA-3wh4-j44w-pg92)

    --listen-client-http-urlsを設定している場合、gRPCリスナーでCRLが適用されず、失効した証明書が受け入れられる状態でした。mTLSと証明書失効リストを併用している環境では、v3.5.32へ更新してください。

主な変更 (6)
  • セキュリティ(HIGH): --listen-client-http-urls設定時にgRPCリスナーでCRL検証が行われなかった問題を修正(GHSA-3wh4-j44w-pg92)
  • --v2-deprecationフラグにwrite-only-skip-checkオプションを追加し、v2コンテンツチェックを迂回可能に
  • 非管理者によるメンテナンスステータスリクエストをサーバーが許可するよう変更
  • etcdutlのcheck v2storeがv2スナップショットとWALレコードの両方を検査するよう強化
  • bearer形式のトークンを使ったWebSocket認証の不具合を修正
  • トークン解析失敗時にJWTトークンの内容がログに記録されない処理を追加
原文

Helm

Kubernetes Core2026年6月20日

Helm v3.21.2 updates Kubernetes client libraries to match v1.36. This is a routine patch for client library alignment; upgrade to stay compatible with Kubernetes v1.36 clusters.

  • enhancementUpdate to v1.21.2 if you run Kubernetes v1.36

    Helm v3.21.2 updates its Kubernetes client libraries (client-go) to match the v1.36 API. If you already run Kubernetes v1.36 clusters, upgrade Helm to v3.21.2 to ensure full compatibility and avoid potential client-server version skew issues. Teams on earlier Kubernetes versions are not blocked — the upgrade is optional but recommended for consistency.

主な変更 (3)
  • Kubernetes client libraries bumped to v1.36
  • Helm 3.22.0 will be the final feature release for Helm 3
  • 3.21.3 will contain only bug fixes
原文

Lima

Kubernetes Core2026年6月19日

Lima v2.1.3 is a security-focused patch release fixing two CVEs: a privilege escalation in QEMU VMs and multiple containerd CVEs bundled via nerdctl v2.3.3. Upgrade promptly.

  • securityPatch QEMU privilege escalation (CVE-2026-53657) immediately

    Any unprivileged user inside a QEMU-backed Lima VM could gain root inside that VM by abusing the guest agent socket. If you share Lima VMs among multiple users or run untrusted workloads, this is high priority. Upgrade to v2.1.3 and restart affected VMs.

  • securitycontainerd CVE batch via nerdctl v2.3.3 — upgrade required

    Five CVEs in containerd are fixed in the bundled nerdctl v2.3.3 (containerd v2.3.2). If your Lima instances run container workloads, the old containerd is exposed. Upgrade Lima and recreate or restart VMs to pick up the new nerdctl binary.

  • breakingcontainerd.user defaults changed for non-Linux guests

    Lima no longer sets containerd.user=true by default on non-Linux guests (macOS, Windows). If you relied on rootless containerd on those platforms without explicitly setting this, validate your VM config after upgrading and set containerd.user=true explicitly if needed.

主な変更 (5)
  • Fixes CVE-2026-53657: arbitrary guest users could escalate to root via the QEMU guest agent socket
  • nerdctl bumped to v2.3.3, which bundles containerd v2.3.2 fixing CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • Default template image switched from ubuntu-25.10 to ubuntu-26.04
  • containerd.user no longer defaults to true on non-Linux guests (behavior change for macOS/Windows VM workloads)
  • copytool: auto mode now falls back to scp when both source and destination are remote
原文

containerd

Kubernetes Core2026年6月19日

containerd v2.1.9 is a security-focused patch release fixing 5 CVEs. Upgrade immediately if you run any containerd 2.1.x deployment.

  • securityPatch 5 CVEs — upgrade containerd 2.1.x now

    This release closes 5 CVEs in containerd itself. The advisories are not yet public so severity details are unavailable, but 5 CVEs in a single patch release is unusually high. Any team running containerd 2.1.x on production nodes should plan an upgrade this week. Check your Kubernetes node images, managed node groups, and any bare-metal CRI setups.

  • securityrunc updated to v1.3.6 — verify your runc version separately

    The bundled runc binary ships as v1.3.6, which likely carries its own fixes. If you manage runc independently (common on Kubernetes nodes), confirm you are also running v1.3.6 or later — upgrading containerd alone will not replace a separately installed runc binary.

  • enhancementCheckpoint restore hardened against malicious archive content

    Three CRI fixes tighten checkpoint/restore: unexpected archive content is now rejected, re-tagging of restored checkpoints is skipped, and CDI annotations are filtered. If your team uses container checkpointing (e.g., CRIU-based live migration), test restore workflows after upgrading to confirm behavior is unchanged.

主な変更 (5)
  • 5 CVEs patched: CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • runc dependency updated to v1.3.6
  • Go runtime updated to 1.26.4 / 1.25.11
  • CRI: CDI annotations filtered on checkpoint restore to prevent label propagation issues
  • User-database file reads bounded in openBoundedUserFile to prevent unbounded resource consumption
原文

containerd

Kubernetes Core2026年6月19日

containerd 1.7.33 patches two containerd CVEs and one go-jose CVE, updates runc to v1.3.6, and bumps Go. Security-only motivation to upgrade.

  • securityUpgrade to 1.7.33 for three CVE fixes

    Two CVEs in containerd itself (CVE-2026-53488, CVE-2026-47262) and one in go-jose (CVE-2026-34986) are patched here. Full details are in the GitHub security advisories. If you are running containerd 1.7.x in production, upgrade now — there is no other reason to stay on an earlier 1.7.x patch.

  • securityReserved labels can no longer leak from image configs

    A fix was added to prevent reserved labels being propagated from image configs. If your environment relies on label-based access control or policy enforcement, verify that behavior is unchanged after upgrading and check the advisory for CVE-2026-47262 for scope.

  • enhancementrunc updated to v1.3.6

    The bundled runc binary moves from whatever 1.7.32 shipped to v1.3.6. If you manage runc separately, make sure your installed version is at least v1.3.6 to stay consistent with what containerd expects.

主な変更 (5)
  • CVE-2026-53488 and CVE-2026-47262 patched in containerd core (advisories on GitHub)
  • CVE-2026-34986 in go-jose fixed by bumping go-jose/v3 to v3.0.5
  • runc binary updated to v1.3.6
  • Go runtime updated to 1.26.4 / 1.25.11
  • User-database file reads now bounded in openBoundedUserFile (hardening fix)
原文

containerd

Kubernetes Core2026年6月19日

containerd v2.0.10 patches two CVEs (CVE-2026-53488, CVE-2026-47262) and updates runc to v1.3.6. Upgrade promptly if running 2.0.x in production.

  • securityTwo CVEs fixed — upgrade now

    CVE-2026-53488 and CVE-2026-47262 are both addressed in this release. The advisories (GHSA-xhf5-7wjv-pqxp and GHSA-jpcc-p29g-p8mq) have full details on impact and scope. Any containerd 2.0.x node running in production should be upgraded to v2.0.10 before assessing whether you're actually exposed — these are runtime-level issues and the blast radius can be broad.

  • securityrunc bumped to v1.3.6

    The runc binary shipped with containerd is updated to v1.3.6, which itself carries fixes from v1.3.4 and v1.3.5. If you manage runc separately (e.g., installed via package manager), verify your runc version independently and align it with v1.3.6.

  • enhancementImage config reserved labels no longer propagate

    Labels reserved by containerd are now stripped from image configs before use. If you rely on any tooling that reads propagated reserved labels from running containers, test behavior after upgrading — this is a quiet behavioral change that may affect label-based automation.

主な変更 (5)
  • CVE-2026-53488 patched — see GHSA-xhf5-7wjv-pqxp for details
  • CVE-2026-47262 patched — see GHSA-jpcc-p29g-p8mq for details
  • runc updated to v1.3.6
  • Go runtime updated to 1.26.4/1.25.11
  • Bounded reads added for user-database file access; reserved labels no longer propagated from image configs
原文

containerd

Kubernetes Core2026年6月19日

containerd 2.3.2 is a security-heavy patch release fixing 5 CVEs alongside runtime stability fixes. Upgrade promptly if you're running 2.3.x in production.

  • security5 CVEs fixed — upgrade 2.3.x nodes now

    Five CVEs are patched in this release, covering containerd's core. The advisories are not yet fully public, but the breadth (5 in one patch) suggests meaningful attack surface. Teams running containerd 2.3.x in any environment should upgrade to 2.3.2 without waiting for the next maintenance window. Check your node provisioning pipelines and update the containerd binary alongside runc (now v1.4.3).

  • enhancementRetry on transient network errors during image pull

    The resolver now retries on transient network errors when the last configured host is tried. This reduces pull failures in flaky network environments without requiring any config change. No action needed, but useful context if you've been seeing intermittent image pull errors under network instability.

  • enhancementSlow container creation no longer causes RPC timeout failures

    A lock in the runc shim was held across the runc create call, causing concurrent RPC timeouts and startup failures when container creation was slow. This is now fixed. If you've seen containers stuck or failing to start under load, this patch likely addresses it.

主な変更 (5)
  • 5 CVEs patched (CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262) — full advisories on GitHub Security
  • runc updated to v1.4.3 and Go runtime bumped to 1.26.4
  • golang.org/x/crypto bumped from v0.49.0 to v0.53.0, along with other golang.org/x dependency updates
  • Fixed a data race in Windows shim log reads (deferredPipeConnection)
  • Fixed concurrent task RPC timeout causing container startup failures during slow container creation
原文

containerd

Kubernetes Core2026年6月19日

containerd 2.2.5 is a security-heavy patch release fixing 5 CVEs, with runc bumped to v1.3.6 and Go updated to 1.26.4/1.25.11. Upgrade promptly if running 2.2.x.

  • securityPatch 5 CVEs — upgrade 2.2.x nodes now

    This release closes 5 CVEs in containerd itself. Details are in the linked security advisories. Any cluster running containerd 2.2.x should upgrade to 2.2.5. The runc bump to v1.3.6 may also carry its own fixes — check the runc release notes before rolling out.

  • securitygolang.org/x/crypto and net updated — relevant if you build custom plugins

    golang.org/x/crypto jumped from v0.45.0 to v0.53.0 and golang.org/x/net from v0.47.0 to v0.55.0. If you vendor containerd or build plugins against its libraries, re-vendor and rebuild. The crypto jump in particular covers several upstream security fixes across that range.

  • enhancementCheckpoint/restore is more reliable in this release

    Three separate CRI fixes land here: CDI annotations are now filtered on checkpoint restore, restored checkpoints are no longer incorrectly re-tagged, and the restore path is hardened against malformed archive content. If you use container checkpoint/restore in production, this release is worth prioritizing.

主な変更 (5)
  • 5 CVEs patched: CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • runc binary updated to v1.3.6
  • Go runtime updated to 1.26.4/1.25.11
  • golang.org/x/crypto bumped from v0.45.0 to v0.53.0 along with other x/ dependency updates
  • CRI checkpoint restore hardened: CDI annotation filtering, re-tagging fix, and robustness against unexpected archive content
原文

Helm

Kubernetes Core2026年6月18日

Helm v4.2.2 reverts a premature exit fix in WaitForDelete that was causing test failures. A one-line patch addressing a race condition in status observation.

  • breakingWaitForDelete race condition re-introduced—test suite hangs may return

    The patch that fixed a race condition in WaitForDelete (where the status observer canceled the watch too early) has been reverted in v4.2.2. If you run comprehensive Helm test suites or rely on WaitForDelete behavior, you may see intermittent hangs or timeouts again. Monitor test runs for flakiness after upgrading. A proper fix is likely incoming in a future patch—do not stay on v4.2.2 longer than necessary.

主な変更 (2)
  • Reverted the fix for early exit in WaitForDelete that was causing intermittent test failures when running full test suites
  • Race condition in status observer no longer cancels the watch prematurely
原文

Helm

Kubernetes Core2026年6月13日

Helm v4.2.1 fixes data races in concurrent operations, corrects output routing for command messages, and resolves version constraint parsing issues that caused false negatives.

  • breakingVerify output parsing in automation after upgrade

    Helm command success messages now correctly write to stdout instead of stderr. If your CI/CD pipelines, monitoring, or shell scripts redirect or filter Helm output by stream, they may behave unexpectedly. Check any grep, tee, or output capture logic that assumes helm writes to stderr. Most scripts should work unchanged, but streaming-dependent logic needs review.

  • enhancementUse version range constraints without workarounds

    Helm 4 previously rejected or warned about valid version range constraints like prerelease versions and missing spaces (e.g., 'v1.0.0||v1.1.0'). This is now fixed. If you've avoided version ranges or used pinned versions as a workaround, you can now adopt constraint-based version selection, which simplifies dependency management in large deployments.

  • enhancementUpgrade to get concurrent operation stability

    Multiple race conditions in concurrent goroutines (upgrade + rollback, install + uninstall on the same client, and WaitForDelete timing) are now fixed. Teams running high-concurrency Helm operations (e.g., multi-chart deployments, parallel reconciliation loops, or large test suites) should upgrade to eliminate intermittent failures. This is particularly important if you see flaky test results in your CI pipeline.

主な変更 (5)
  • Fixed data race in GetWaiterWithOptions when concurrent upgrade/rollback and install/uninstall operations target the same FailingKubeClient instance
  • Corrected helm command output routing: success messages now write to stdout instead of stderr
  • Fixed Helm 4 false negatives when parsing version range constraints (e.g., prerelease versions, missing spaces in || operator)
  • Patched WaitForDelete race condition where status observer canceled watches prematurely, causing intermittent test failures
  • Updated dependencies: cli-utils 1.2.1, controller-runtime 0.24.1, k8s 1.36.1, and golang.org/x/net v0.55.0 (GO-2026-5026)
原文

Helm

Kubernetes Core2026年6月12日

Helm v3.21.1 fixes a nil pointer panic in template operations and updates dependencies. A straightforward patch for stability.

  • securityUpgrade for Go security patch GO-2026-5026

    golang.org/x/net was bumped to v0.55.0 to fix GO-2026-5026. This is a supply-chain dependency, not directly exposed in Helm's API. Upgrade if your security scanning flags net vulnerabilities. No action needed if you're just using Helm normally—the fix is built in.

  • breakingClientOnly template operations now error correctly instead of panicking

    Helm template commands executed without cluster access (ClientOnly mode) previously crashed with nil pointer panics. v3.21.1 returns proper template errors instead. If you have automation that catches panics, update error handling to expect typed template errors. Test your template workflows before production rollout.

  • enhancementRegistry credentials now persist through HTTP fallback

    Registry operations now keep credentials when falling back from HTTPS to plain HTTP, thanks to oras-go v2.6.1. If you use private registries with HTTP-only endpoints, this improves reliability. No configuration change needed; the fix is automatic.

主な変更 (3)
  • Fixed nil pointer panic in helm template when running in ClientOnly mode (no Kubernetes cluster)
  • Preserved registry credentials on plain-HTTP fallback via oras-go v2.6.1 update
  • Bumped Go to 1.26 and golang.org/x/net to v0.55.0 to address GO-2026-5026
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.36.2 is a patch release fixing critical bugs in Dynamic Resource Allocation (DRA) scheduler, CSI volume republishing, and endpoint controller, plus a Go 1.26.4 build update.

  • securityBinary non-UTF8 Secret data in container env vars now handled correctly

    Kubernetes 1.34+ had a regression where containers could not properly read environment variables set from Secret API objects containing binary non-UTF8 data. This is fixed in 1.36.2. If your workloads use non-text Secret data in environment variables, upgrade to prevent decode errors or silent failures.

  • breakingDRA device allocation bug affects multi-device workloads

    Kubernetes 1.36.0–1.36.1 has a scheduler bug that assigns mutually exclusive device partitions to multiple Pods when drivers use SharedCounters with multi-allocatable devices. This can cause workload failures, device conflicts, crashes, or data loss. If you use DRA with multi-allocatable devices (especially GPUs or custom accelerators with shared counters), upgrade to 1.36.2 immediately. Review recent Pod scheduling decisions for conflicts.

  • enhancementCSI volume republish failures no longer corrupt mount state

    Kubelet was incorrectly deleting CSI mount directories when periodic NodePublishVolume calls (triggered by requiresRepublish=true) failed, leaving pods with stale volume content. This is fixed in 1.36.2. If you run CSI drivers with requiresRepublish=true, this patch eliminates a data consistency risk—upgrade to prevent potential data issues on transient network or storage errors.

主な変更 (7)
  • Built with Go 1.26.4 for improved runtime stability
  • Fixed DRA scheduler bug that could assign mutually exclusive device partitions to multiple Pods, risking workload failures or data loss
  • Fixed kube-scheduler panic when DRA ResourceClaim with allocationMode: All selects shared counter devices
  • Fixed kubelet incorrectly deleting CSI mount directories on periodic NodePublishVolume errors, leaving stale volume content
  • Fixed regression where suspended Job spec modifications were rejected if JobSuspended condition was not yet set
  • Fixed endpoint controller panic on services with empty IPFamilies field
  • Fixed container environment variable handling for binary non-UTF8 data from Secrets
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.35.6 fixes critical issues in pod scheduling with multi-node claims, DRA device selection, CSI volume republishing, and endpoint handling; includes a Go runtime upgrade and performance improvements.

  • securitySecret binary data in environment variables now handled correctly

    A 1.34+ regression broke environment variable injection from Secrets containing non-UTF8 binary data (e.g., certificates, keys in base64-encoded Secrets). If you inject Secrets as env vars and those Secrets contain binary data, upgrade to v1.35.6. Test this quickly if you run database credentials or keys via Secrets—the bug may have silently broken injection.

  • breakingUpgrade Go runtime to 1.25.11 in your build pipeline

    Kubernetes v1.35.6 is built with Go 1.25.11. If you run custom controllers or operators on the same Go version, verify compatibility and rebuild. If your CI/CD locks Go versions, update your build configuration. This is standard but must be done; old Go versions may have security gaps you're inheriting.

  • enhancementDRA scheduling and CSI republishing now reliable for dynamic resource allocation

    Three bugs are fixed: (1) scheduler no longer panics on DRA ResourceClaim with AllocationMode All and shared counters; (2) pods using multi-node and per-node claims no longer deadlock in Pending; (3) kubelet no longer deletes CSI mount directories on transient NodePublishVolume errors, preventing stale volume data. If you use DRA (dynamic resource allocation) or CSI with republish enabled, this release eliminates previously deadlocking scenarios. Upgrade to clear stuck pods and prevent future hangs.

主な変更 (6)
  • Upgraded to Go 1.25.11 for runtime stability and security patches
  • Fixed pod scheduling deadlock when using both multi-node and per-node DRA claims
  • Fixed kube-scheduler panic with DRA ResourceClaim AllocationMode consuming shared counters
  • Fixed kubelet deleting CSI mount directories on periodic NodePublishVolume failures, causing stale volumes
  • Fixed endpoint controller panic on services with empty IPFamilies field (pre-dual-stack services)
  • Fixed environment variable handling for Secret objects containing binary non-UTF8 data
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.34.9 fixes volume handling in CSI mounts, binary secret data in containers, endpoint controller panics, and kubeadm certificate handling. Go 1.25.11 build improves runtime performance.

  • breakingUpgrade kubelet if running CSI drivers with requiresRepublish enabled

    A 1.34+ regression caused kubelet to delete CSI mount directories on republish failures, stranding pods with stale volume data. If you run CSI drivers with spec.requiresRepublish=true, upgrade immediately. Check your CSI driver specs and watch for failed republish attempts in kubelet logs before upgrading to confirm you hit this bug.

  • breakingTest binary Secret injection in container environment variables

    v1.34 broke environment variable parsing for containers referencing Secrets with binary (non-UTF8) data. If your workloads inject Secret data into environment variables, test them after upgrading. Check application startup logs for parsing errors; you may need to base64-encode binary Secret values instead.

  • enhancementUpdate Go runtime for performance and security

    v1.34.9 uses Go 1.25.11, which includes runtime optimizations and security patches. Upgrade when you next rotate your control plane and worker nodes. No code changes needed on your side, but the Go update may improve latency and reduce memory usage in your cluster.

主な変更 (5)
  • Kubernetes now built with Go 1.25.11 for improved performance and security patches
  • Fixed kubelet CSI mount directory deletion that left pods with stale volume contents after republish errors
  • Fixed panic in endpoint controller when processing services with empty IPFamilies field
  • Fixed regression in container environment variable parsing when values reference Secrets containing binary non-UTF8 data
  • Kubeadm certificate dry-run mode now correctly copies existing CA files
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.33.13 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

CoreDNS

Kubernetes Core2026年6月9日

CoreDNS v1.14.4 delivers a broad set of targeted fixes and new capabilities: DNSSEC signing correctness fix, cache behavior improvements, forward plugin now resolves hostnames, and several transport security hardening items.

  • breakingDNSSEC signing behavior changed — review delegated zone setups

    The fix to sign each RRset with its owning zone rather than the query zone is technically correct, but if you have multi-zone DNSSEC setups with delegations, validate your signed responses after upgrading. Zones that were relying on the previous (incorrect) signing behavior may produce different signatures. Run dnssec-verify on a sample of records before cutting over in production.

  • enhancementUse hostname-based forward targets instead of hard-coded IPs

    The forward plugin now resolves hostnames for TO endpoints at runtime. If your CoreDNS configs currently pin upstream resolver IPs, you can switch to FQDNs and let CoreDNS handle resolution. This simplifies config management in environments where upstream IPs change (e.g., cloud-managed resolvers). Test in staging first — resolution failures at startup could affect forwarding.

  • enhancementRemove the 3600s cache TTL ceiling if longer TTLs are appropriate

    Cache TTLs were previously capped at 3600s regardless of the DNS record's actual TTL. That cap is gone. For stable records (root hints, internal authoritative zones) you can now set higher max_ttl values to reduce upstream query load. Audit your cache plugin config and raise max_ttl where it makes sense.

主な変更 (5)
  • DNSSEC signing fix: RRsets are now signed with the zone that owns the name, not the query zone — this corrects a subtle but real signing correctness bug
  • Forward plugin now supports hostname resolution for TO endpoints, removing the need to pre-resolve IPs in configs
  • Cache TTL cap of 3600s removed; serve_stale gains an optional verify timeout; positive cache is preferred over SERVFAIL in negative cache
  • File plugin triggers zone reload on mtime change — no more manual reload signals for zone file updates
  • dnstap plugin now supports incoming connections; secondary plugin gains fallthrough support
原文

CRI-O

Kubernetes Core2026年6月3日

CRI-O v1.35.4 is a patch release with no code changes or dependency updates from v1.35.3 — essentially a rebuild or re-tag of the previous patch.

  • enhancementSkip this upgrade unless you need a clean rebuild

    There are zero changelog entries and zero dependency changes. This release is likely a rebuild triggered by a CI/pipeline issue or a signing/artifact correction. If you're already on v1.35.3 and it's working, there's no functional reason to upgrade. Check the CRI-O GitHub issue tracker or release PR for context on why this tag was cut before deciding to roll it out.

  • enhancementVerify artifact integrity with cosign and SBOM before deploying

    Even for a no-change release, practice your supply chain verification workflow: use cosign to verify the signature on the tarball and the bom tool to validate the SPDX SBOM. This is good hygiene to establish before you need it on a critical release.

主な変更 (4)
  • No code changes between v1.35.3 and v1.35.4
  • No dependency additions, updates, or removals
  • Release artifacts available for amd64, arm64, ppc64le, and s390x
  • SBOM (SPDX format) and cosign signatures published alongside binaries
原文

CRI-O

Kubernetes Core2026年6月3日

CRI-O v1.36.1 is a small patch fixing a container status regression where ImageRef flipped to a raw image ID after restart, plus a debug log verbosity reduction.

  • breakingUpgrade if you rely on ImageRef for image identity after restarts

    Before this fix, CRI-O restarts caused ImageRef in container status to switch from a repo@digest string to a raw image ID. Any tooling that parses ImageRef — admission controllers, audit pipelines, image policy enforcers — could silently receive the wrong format and fail validation or produce incorrect audit records. If you run workloads where CRI-O restarts are common (e.g., upgrades, node reboots), patch to v1.36.1 immediately and validate your tooling handles the repo@digest format consistently.

  • enhancementExpect quieter debug logs under high-frequency List* RPC calls

    Clusters with aggressive monitoring or reconciliation loops generating frequent ListContainers/ListPodSandboxes calls were generating excessive debug log volume, which hurt CRI-O performance under high load. After this patch, debug logging is less chatty for these paths. If you previously reduced log levels specifically to work around this noise, you can now safely re-enable debug logging without the same overhead.

主な変更 (4)
  • Fixed ImageRef regression: container status now correctly returns repo@digest format (not raw image ID hash) after CRI-O restarts
  • Reduced log verbosity for List* RPC calls, cutting noise in debug-level logging under frequent polling
  • No dependency changes — pure bug fix release
  • SLSA provenance, OpenVEX, and SPDX SBOMs published for supply chain verification
原文

CRI-O

Kubernetes Core2026年6月3日

CRI-O v1.34.9 fixes two concurrency bugs: a panic from racing StopContainer calls and a spurious exit code 255 on fast-exiting containers. Pure bug-fix release, no dependency changes.

  • breakingPanic risk on concurrent StopContainer — upgrade if you drain nodes or run rapid pod teardowns

    If your cluster drains nodes, runs batch workloads with rapid pod churn, or uses any automation that issues multiple StopContainer calls in parallel, the pre-fix versions could panic CRI-O, taking down the container runtime on that node. This is a hard crash, not a graceful error. Upgrade to v1.34.9 immediately on any node where concurrent stop operations are plausible.

  • enhancementExit code 255 false positives are gone — review alerting and restart policies

    Exit code 255 is often treated as a runtime-level failure in monitoring stacks and can trigger unnecessary pod restarts or alerts. If you have OOMKill or fast-exit workloads (init containers, short-lived jobs) and have seen spurious 255 exit codes in your logs or metrics, those were false positives from this race. After upgrading, audit your alerting rules and CrashLoopBackOff history — you may find some pods were incorrectly flagged.

主な変更 (3)
  • Fixed panic caused by concurrent StopContainer calls sending on an already-closed channel
  • Fixed race condition that incorrectly reported exit code 255 for containers that exited quickly
  • No dependency additions, changes, or removals
原文

CRI-O

Kubernetes Core2026年6月3日

Single-fix patch release resolving a race condition that caused CRI-O to incorrectly report exit code 255 for fast-exiting containers.

  • breakingFalse exit code 255 may have masked real container failures

    If your monitoring, alerting, or restart policies key off exit code 255, you may have been misclassifying fast-exiting containers as crashed. After upgrading, audit any runbooks or OOMKill/CrashLoopBackOff workflows that treat exit code 255 as a specific signal — the real exit codes from short-lived containers will now surface correctly.

  • enhancementUpgrade straightforward for 1.33.x users — no config or dependency changes

    This is a clean drop-in replacement for v1.33.12. No dependency bumps, no config changes required. Plan a rolling node drain and replace the CRI-O binary. Prioritize nodes running batch jobs, init containers, or short-lived workloads where fast exits are common and exit code accuracy matters most.

主な変更 (3)
  • Fixed race condition causing exit code 255 misreport when containers exit quickly
  • No dependency changes — pure bug fix targeting a specific runtime edge case
  • Affects amd64, arm64, ppc64le, and s390x builds equally
原文

containerd

Kubernetes Core2026年6月3日

Security patch release fixing CVE-2026-46680 plus runtime bugs in sandbox service, AppArmor compatibility, and OCI USER spec handling.

  • securityPatch CVE-2026-46680 immediately

    CVE-2026-46680 is the primary driver for this release. Review the GHSA advisory to understand the attack surface and severity. If you run containerd 2.1.x in any environment, upgrading to 2.1.8 should be your next deployment task. There are no dependency changes, so the upgrade path is straightforward.

  • breakingOCI USER out-of-range values now fail explicitly — check your container specs

    Previously, out-of-range USER values in OCI specs could silently fall through to username/group lookups, masking misconfigurations. Now containerd returns an explicit error. If any of your containers or image builds set numeric USER values outside valid UID/GID ranges, they will start failing visibly after this upgrade. Audit your specs before rolling out to production.

  • enhancementUpgrade if you run AppArmor < 3.0 or use sandbox-based runtimes

    The conditional AppArmor abi fix is a real blocker for anyone on older AppArmor (e.g., Ubuntu 20.04 ships 2.x). The sandbox service bug also affects event-driven workflows and correct sandbox creation — silent misconfiguration is worse than a visible error. If you use Kata Containers or any sandbox-based runtime, this fix directly affects you.

主な変更 (5)
  • CVE-2026-46680 addressed — check the advisory for scope and impact before upgrading
  • OCI spec now returns explicit errors for out-of-range USER values instead of silently triggering unexpected username/group lookups
  • Sandbox service bugs fixed: Create fields were not being forwarded correctly and event topics were broken
  • AppArmor abi field now set conditionally, restoring compatibility with AppArmor versions below 3.0
  • Volatile snapshotter now accepts both 'volatile' and 'fsync=volatile' mount option styles
原文

etcd

Kubernetes Core2026年6月2日

etcd v3.6.12 is a patch release in the 3.6 series. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the CHANGELOG before upgrading

    The release notes for v3.6.12 are essentially empty — no changes are listed inline. Before upgrading any etcd cluster, pull the full CHANGELOG-3.6.md from the repo and review all entries since your current version. The official upgrade guide explicitly warns of potential breaking changes in the 3.6 series.

  • enhancementVerify container registry targets in your pipelines

    etcd maintains two registries: gcr.io is primary, quay.io is secondary. If your CI/CD or deployment manifests pin to quay.io, confirm it stays in sync with the primary. For production clusters, prefer gcr.io/etcd-development/etcd to avoid lag.

主な変更 (4)
  • Patch release in the 3.6.x maintenance track
  • Full change details available in the CHANGELOG-3.6.md, not included in release notes
  • Upgrade guide should be reviewed prior to deployment, as breaking changes may exist
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
原文

etcd

Kubernetes Core2026年6月2日

etcd v3.5.31 is a patch release on the 3.5 branch. Release notes are minimal — check the full CHANGELOG for specifics before upgrading.

  • breakingCheck the upgrade guide even for patch versions

    The etcd team explicitly calls out that breaking changes can appear in patch releases. Don't skip the upgrade guide assuming this is safe to apply blindly. Verify any API or storage format changes against your current deployment before scheduling maintenance.

  • enhancementReview CHANGELOG before upgrading

    The release notes published here are sparse. Before rolling this out, pull the full CHANGELOG-3.5.md directly from the etcd repo to identify any bug fixes or behavioral changes that affect your cluster. Patch releases on 3.5 have historically included compaction fixes and lease handling improvements — worth verifying what specifically landed here.

主な変更 (4)
  • Patch release on the 3.5.x stable branch
  • Full change details available in the official CHANGELOG-3.5.md
  • Upgrade guide should be reviewed prior to deployment
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
原文

etcd

Kubernetes Core2026年6月2日

etcd v3.4.45 is a maintenance release on the 3.4 branch. Release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingCheck the official upgrade guide even for patch releases

    The release explicitly flags that breaking changes may exist. Etcd 3.4.x is a mature but still-active branch used heavily in Kubernetes clusters. Verify the upgrade guide at etcd.io before rolling this out, especially in production environments where quorum and data integrity are non-negotiable.

  • enhancementReview CHANGELOG before upgrading — release notes are intentionally minimal

    This release page contains almost no detail. Before upgrading, pull up CHANGELOG-3.4.md directly in the etcd GitHub repo to understand what actually changed. Blind upgrades on etcd — your cluster's source of truth — are a bad idea regardless of how minor a patch looks.

主な変更 (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md, not surfaced in release notes
  • Container images published to gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed prior to deployment
原文

Lima

Kubernetes Core2026年6月1日

Lima v2.1.2 is a broad maintenance release fixing hostagent resource leaks, zombie processes, and gRPC connection leaks — plus template updates for Kubernetes 1.36, Ubuntu 26.04, and Fedora 44.

  • breakingAlpine template split — update your instance configs

    The generic `template:alpine` has been split into `template:alpine-3.21`, `template:alpine-3.22`, and `template:alpine-3.23`. If you reference `template:alpine` in scripts, CI, or configs, those references will break. Audit and update them to a specific versioned template before upgrading.

  • breaking_LIMA_QEMU_UEFI_IN_BIOS is deprecated — stop using it

    If you have the `_LIMA_QEMU_UEFI_IN_BIOS` environment variable set in any scripts or dotfiles, remove it now. The flag is deprecated in this release and will likely be removed in a future version. Check wrapper scripts and CI pipelines that invoke limactl with QEMU.

  • enhancementHostagent resource leak fixes — worth upgrading if you run long-lived instances

    Four separate hostagent fixes address GuestAgentClient leaks, inotify watcher accumulation, and gRPC stream mishandling on reconnect. If you've seen memory creep or stale connections in long-running Lima instances, this release directly addresses those issues. Upgrade proactively rather than waiting.

主な変更 (5)
  • Hostagent: fixed GuestAgentClient leaks, inotify watcher leaks, and gRPC stream behavior on guest-agent reconnect — a cluster of related fixes across 4 PRs
  • Driver fixes: zombie process prevention via PID tracking, WSL2 CPU spin-loop fix, and Darwin VZ GUI goroutine pinning to OS thread 0
  • Port forwarding gRPC tunnel connection leak fixed (#5043)
  • Templates updated: Kubernetes pinned to 1.36, Ubuntu 26.04 added, Alpine split into versioned variants (3.21/3.22/3.23), Fedora 44 added / Fedora 41 removed
  • QEMU: deprecated _LIMA_QEMU_UEFI_IN_BIOS flag, fixed non-deterministic boot disk ordering, added s390x support
原文

containerd

Kubernetes Core2026年5月21日

containerd v2.2.4 is a security-focused patch release addressing two CVEs plus several runtime fixes for overlay, sandbox, AppArmor, and seccomp behavior.

  • securityPatch both CVEs — update to v2.2.4 now

    Two CVEs are fixed here: one in containerd itself (CVE-2026-46680) and one in the go-jose dependency (CVE-2026-34986). Both affect production deployments. Don't wait for your next maintenance window — push this update through your standard emergency patch process. If you run containerd on Kubernetes nodes, this applies to all container runtimes backed by containerd regardless of the orchestrator.

  • securityAF_ALG is now blocked by default seccomp — test custom workloads

    The default seccomp profile now blocks AF_ALG (kernel crypto API via sockets). This reduces attack surface, but any workload relying on AF_ALG sockets — unusual but possible in cryptography-heavy or hardware-offload scenarios — will start seeing syscall denials. Run a quick audit of workloads with custom or permissive seccomp profiles before upgrading in production.

  • enhancementUserNS + overlay users should upgrade to fix layer extraction

    If you run rootless containers or pods using user namespaces with the overlay snapshotter, the previous 'rebase' capability caused layer extraction failures. This patch disables that capability automatically in UserNS contexts. No config change needed — just upgrade and verify your rootless workloads mount correctly post-update.

主な変更 (5)
  • CVE-2026-46680 patched in containerd core — security advisory on GHSA-fqw6-gf59-qr4w
  • CVE-2026-34986 patched via go-jose bump to v4.1.4 — affects JWT/JWK processing
  • AF_ALG socket family blocked in default seccomp policy, closing a kernel crypto API attack surface
  • Overlay snapshotter disables 'rebase' capability in user namespaces, fixing layer extraction failures
  • OCI spec USER handling now returns explicit errors for out-of-range values instead of silent bad lookups
原文

containerd

Kubernetes Core2026年5月21日

containerd 2.0.9 patches CVE-2026-46680 and fixes a TOCTOU race in tar extraction, lost container exit events on restart, and several security hardening issues.

  • securityPatch CVE-2026-46680 now

    A security vulnerability tracked as CVE-2026-46680 is fixed in this release. Any containerd 2.0.x deployment should be upgraded to 2.0.9 immediately. Check the GHSA advisory for affected configurations and severity before scheduling maintenance windows — this shouldn't wait.

  • securityTOCTOU fix in tar extraction reduces image unpack risk

    The TOCTOU race during tar extraction could be exploited with a crafted image layer to escape expected paths. This is relevant for any environment pulling untrusted or third-party images. Upgrade and consider auditing your image pull policies if you haven't already restricted sources.

  • breakingCheck AppArmor configs if running pre-3.0 AppArmor

    The AppArmor ABI field is now set conditionally, so systems running AppArmor older than 3.0 won't have an incompatible ABI injected into generated profiles. If you've been working around this with custom profiles, test your AppArmor setup after upgrading to confirm behavior is as expected.

  • enhancementFix for lost exit events matters for high-churn workloads

    If you've seen containers stuck in unexpected states after a containerd restart — particularly in Kubernetes environments with rapid pod cycling — this fix addresses the root cause. No config change needed; upgrading is enough.

主な変更 (5)
  • CVE-2026-46680 patched — upgrade immediately, details in the security advisory
  • TOCTOU race condition in tar extraction fixed, reducing potential for path traversal during image unpack
  • AF_ALG socket family now blocked in default seccomp policy, narrowing the kernel attack surface
  • Container exit events no longer dropped when they arrive before CRI info is cached during containerd restart
  • Sandbox service bugs fixed: Create fields forwarded correctly and event topics no longer misconfigured
原文

containerd

Kubernetes Core2026年5月21日

containerd 1.7.32 is a security-focused patch addressing CVE-2026-46680, plus hardening the default seccomp profile by blocking AF_ALG sockets and fixing OCI spec USER handling.

  • securityPatch CVE-2026-46680 now — upgrade to 1.7.32

    CVE-2026-46680 is the primary driver for this release. Details are in the containerd security advisory. If you're running any 1.7.x version, treat this as a mandatory upgrade. Check the advisory for severity and attack surface before deciding on your maintenance window — but don't defer this long.

  • securityAF_ALG is now blocked in the default seccomp profile — verify custom profiles

    The default seccomp policy now blocks the AF_ALG (kernel crypto) socket family. Containers relying on AF_ALG for hardware crypto offloading will break after this upgrade. Audit your workloads — most standard containers won't be affected, but custom crypto or HSM-adjacent workloads might. If needed, override via a custom seccomp profile rather than relaxing the default.

  • breakingOut-of-range USER values now fail explicitly — check your container images

    Previously, an out-of-range UID/GID in the OCI spec could silently trigger name lookups with unpredictable results. Now containerd returns an error. If you have images or specs with numeric USER values outside valid range, containers will fail to start instead of behaving unexpectedly. Run a pre-upgrade check on your image inventory, especially anything using high numeric UIDs.

  • enhancementAppArmor < 3.0 compatibility restored — relevant for older distros

    If you're running containerd on Ubuntu 20.04, Debian Bullseye, or any distro shipping AppArmor 2.x, earlier 1.7.x releases may have caused AppArmor profile load failures. This fix conditionally omits the abi directive. Upgrade and verify AppArmor profile loading if you've been seeing related errors.

主な変更 (5)
  • CVE-2026-46680 patched — update immediately if running 1.7.x
  • AF_ALG socket family now blocked in default seccomp socket policy, tightening the default container sandbox
  • OCI spec USER values that are out-of-range now return an explicit error instead of silently triggering unexpected username/group lookups
  • hosts.toml can now contain only root-level fields with no [host] section, fixing a config parsing bug
  • AppArmor abi directive is now set conditionally, restoring compatibility with AppArmor < 3.0
原文

containerd

Kubernetes Core2026年5月21日

containerd 2.3.1 patches CVE-2026-46680 and fixes several runtime/snapshotter bugs including seccomp hardening that blocks AF_ALG sockets by default.

  • securityPatch CVE-2026-46680 now — upgrade from 2.3.0

    CVE-2026-46680 is fixed in this release. Details are in the containerd security advisory. If you're on 2.3.0, treat this as a mandatory upgrade. Check your package manager or deployment pipeline to roll out 2.3.1 across all nodes before the vulnerability details are widely circulated.

  • securityAF_ALG blocked in default seccomp policy — test workloads that use kernel crypto

    The default seccomp profile now blocks AF_ALG (Linux kernel crypto API via sockets). Most containerized applications won't touch this, but anything using AF_ALG directly for cryptographic operations will break. Before upgrading in production, verify your workloads don't rely on AF_ALG — run a quick strace or audit your application's socket calls. Custom seccomp profiles are unaffected.

  • breakingNon-runc runtime users: test sandbox task API behavior after upgrade

    The sandbox task API endpoint fix and deprecation of task fields in Runc options targets non-runc runtime setups (e.g., Kata Containers, gVisor). If your cluster uses alternative runtimes, validate that container creation and task management still work as expected post-upgrade. The deprecation of task fields means you should audit any custom Runc options configs to remove deprecated fields before they're removed in a future version.

主な変更 (5)
  • CVE-2026-46680 patched — upgrade immediately if running 2.3.0
  • Default seccomp policy now blocks AF_ALG socket family, tightening container isolation
  • Out-of-range USER values in OCI spec now return explicit errors instead of triggering unexpected username/group lookups
  • Sandbox task API endpoints fixed for non-runc runtimes; task fields in Runc options deprecated
  • BoltDB files for metadata and mount plugins now properly closed on server shutdown, preventing resource leaks
原文

containerd

Kubernetes Core2026年5月21日

Patch release fixing sandbox task API endpoints broken for non-runc shims — critical for anyone running alternative runtimes like Kata Containers or gVisor.

  • breakingUpgrade if you run non-runc runtimes in sandbox mode

    The bug in api/v1.11.0 caused sandbox task API endpoints to malfunction for any shim that isn't runc — think Kata Containers, gVisor, or custom shims. If your cluster uses these runtimes and you're on 1.11.0, task operations against sandboxed workloads may silently fail or misbehave. Update to api/v1.11.1 immediately and verify task lifecycle operations (create, delete, exec) work correctly post-upgrade.

  • enhancementValidate your shim compatibility after upgrading

    The fix adds the task API address to CreateTaskRequest at the proto level. If you maintain a custom shim, review whether your implementation reads this field — it's now populated where it wasn't before. No action needed for standard runc workloads, but non-standard shim authors should test task creation flows against this API version.

主な変更 (3)
  • Task API address is now included in CreateTaskRequest, fixing routing for non-runc shims
  • No dependency changes — safe, minimal patch
  • Only 4 commits; scope is narrow and targeted
原文

Helm

Kubernetes Core2026年5月14日

Helm v3.21.0 bumps Kubernetes client libs to v1.36, patches OpenTelemetry CVEs, fixes OCI index chart pulling, and corrects nil value preservation in chart merging. Helm v3 EOL is approaching.

  • securityUpgrade immediately to patch OpenTelemetry CVEs

    OpenTelemetry packages were patched specifically to address CVEs. If you're running Helm in CI/CD pipelines or as part of automation tooling, upgrade to v3.21.0 now. Don't wait for the next patch release.

  • breakingPlan your Helm v4 migration — v3 EOL is real

    The release explicitly warns that Helm v3 is approaching end-of-life. This is not a distant concern — v3.22.0 targets Kubernetes v1.37 and v3.21.1 is just a bug fix release. Start evaluating Helm v4 changes now, especially if you maintain custom plugins or automation built around Helm's CLI or Go SDK.

  • enhancementTest OCI index-based chart pulls if you use multi-arch registries

    The fix for pulling charts from OCI indices means setups using image index manifests (common in multi-arch environments) should now work reliably. If you previously worked around this with direct digest references or manifest-specific tags, revisit those workarounds — they may no longer be necessary.

主な変更 (5)
  • Kubernetes client libraries updated to v1.36, aligning with current cluster versions
  • OpenTelemetry packages patched to address CVEs — direct security fix
  • Fixed chart pulling from OCI image indices (multi-arch/index manifests now work correctly)
  • Fixed dot-name path bug in chart handling
  • nil values in chart values are now preserved correctly when the chart default is an empty map
原文

Helm

Kubernetes Core2026年5月14日

Helm v4.2.0 ships Kubernetes 1.36 client support, a new mustToToml template function, fixes for dry-run server mode with generateName, and several post-renderer YAML parsing correctness fixes.

  • breakingRemove --hide-notes and --render-subchart-notes from your CI scripts

    Both flags are now deprecated and will likely be removed in a future release. Audit your helm install/upgrade/template invocations in CI pipelines and scripts. Dropping them now avoids a forced migration later when they're removed entirely.

  • enhancementAdopt mustToToml for safer TOML templating

    The new mustToToml function behaves like mustToJson — it returns an error instead of silently failing when TOML serialization goes wrong. If you're using toToml anywhere in your chart templates, swap it for mustToToml so template rendering failures are surfaced as actual errors rather than empty or malformed output.

  • enhancementValidate --dry-run=server against generateName resources

    Previously, --dry-run=server skipped resources that used generateName instead of name, which gave false confidence that those resources were being validated. That's fixed now. Re-run your server-side dry-run checks against any charts that use generateName — you may catch validation errors that were previously being silently ignored.

主な変更 (5)
  • Kubernetes client libraries bumped to v1.36, keeping Helm aligned with current cluster versions
  • New mustToToml template function added alongside the existing toToml (error-safe variant)
  • --dry-run=server now correctly handles resources using generateName instead of skipping them
  • --hide-notes and --render-subchart-notes flags deprecated; start removing them from scripts
  • Multiple post-renderer YAML parsing bugs fixed: wrong separator handling, line ending preservation, and hook conflicts
原文

Kubernetes

Kubernetes Core2026年5月13日

Kubernetes v1.36.1 is a focused patch release fixing 8 bugs across networking, node, and cluster lifecycle — most impacting Windows environments, ZFS nodes, and kubeadm-managed clusters.

  • breakingZFS nodes: upgrade immediately if running v1.36.0

    kubelet fails to start on ZFS-backed nodes in v1.36.0 due to a missing cadvisor plugin. If you deployed v1.36.0 on ZFS storage, those nodes are likely not running. Patch to v1.36.1 before any further ZFS node rollouts.

  • breakingWindows L2Bridge users: DNS timeouts are fixed but require upgrade

    Stale HNS endpoints caused traffic to route to wrong nodes when pod IPs were reused, producing silent DNS failures. This is hard to diagnose and easy to misattribute to DNS config. If you run Windows nodes with L2Bridge networking, treat this as a high-priority patch.

  • enhancementkubeadm bootstrap is more resilient against slow load balancers

    Previously, kubeadm init could fail or behave unexpectedly when the control plane load balancer wasn't ready yet. The fix makes bootstrap use the local API endpoint first, then defer to the LB endpoint — a meaningful improvement for cloud environments where the LB provisions asynchronously. Worth upgrading before your next cluster init or upgrade cycle.

主な変更 (5)
  • kubelet now starts correctly on ZFS nodes after a missing cadvisor plugin broke it in v1.36.0
  • Windows L2Bridge networks: stale HNS endpoint cleanup fixed, preventing DNS timeouts when pod IPs are reused across nodes
  • kube-proxy no longer triggers unnecessary full-sync operations in large clusters (1000+ endpoints)
  • kubeadm init now uses LocalAPIEndpoint instead of controlPlaneEndpoint during bootstrap, fixing timing issues with slow load balancers
  • kubeadm now uses a quorum-based etcd health check instead of requiring all members healthy, and assigns a dedicated ClusterRole for kube-apiserver's kubelet client
原文

Kubernetes

Kubernetes Core2026年5月13日

Kubernetes v1.35.5 is a focused patch release fixing scheduler state corruption, Windows networking, kube-proxy large-cluster behavior, and several kubeadm initialization issues.

  • breakingKubeadm users: review kubeconfig generation behavior after upgrade

    The kubeadm init change to use localAPIEndpoint for admin.conf and super-admin.conf is a behavioral fix, but clusters with custom controlPlaneEndpoint setups should validate that kubeconfigs are generated correctly after upgrading. If you rely on the controlPlaneEndpoint in generated configs for post-init tooling, test in staging first.

  • enhancementLarge clusters: upgrade kube-proxy to stop unnecessary full-syncs

    If you're running 1000+ endpoints, kube-proxy was previously triggering full-sync operations it shouldn't. This patch stops that. The fix directly reduces CPU and network overhead on busy clusters — upgrade kube-proxy as part of your next maintenance window.

  • enhancementScheduler memory leak fix — prioritize this patch if you see scheduling instability

    The scheduler bug with in-flight state tracking could cause unbounded growth in memory usage when pods with reused names fail scheduling repeatedly. If you've observed scheduling delays or growing scheduler memory consumption, this patch addresses the root cause directly.

主な変更 (5)
  • Scheduler bug fixed: stale in-flight queue state when a Pod is replaced with the same name during a failed scheduling attempt, which could cause unbounded memory growth
  • Windows L2Bridge networking fix: stale HNS endpoint cleanup now prevents DNS timeouts when pod IPs are reused across nodes
  • Kube-proxy no longer triggers unnecessary full-sync operations in large clusters (1000+ endpoints), reducing control plane churn
  • Kubeadm init now uses localAPIEndpoint instead of controlPlaneEndpoint for admin kubeconfigs, fixing bootstrap failures behind slow load balancers
  • Kubeadm etcd health check now uses quorum-based logic instead of requiring all members healthy, improving upgrade resilience
原文

Kubernetes

Kubernetes Core2026年5月13日

v1.34.8 is a focused bug-fix patch addressing IPv6 CIDR allocation errors, a scheduler memory leak, Windows DNS routing failures, and several kubeadm cluster lifecycle issues.

  • securitykubeadm now uses a dedicated ClusterRole for kube-apiserver kubelet access

    The kube-apiserver's kubelet client is now bound to 'system:kubelet-api-admin' instead of a shared role. For kubeadm-managed clusters, re-running 'kubeadm init phase bootstrap-token' or upgrading via kubeadm will apply this change. Existing clusters upgraded in-place will get this tighter RBAC scoping automatically — verify with 'kubectl get clusterrolebinding' post-upgrade.

  • breakingIPv6 clusters: audit ServiceCIDR allocations before upgrading

    The 64-bit IPv6 ServiceCIDR bug means some clusters may have services with IPs that technically fall outside the configured subnet. After upgrading to v1.34.8, check whether any existing service IPs are out-of-range and consider recreating affected services. This primarily impacts clusters using /64 IPv6 service CIDRs.

  • enhancementLarge clusters: kube-proxy full-sync elimination reduces control plane pressure

    If you're running clusters with 1000+ endpoints, kube-proxy was performing expensive full-sync operations unnecessarily in large-cluster mode. This patch stops that. The benefit is lower CPU and latency spikes during endpoint churn. No config changes needed — upgrade and monitor kube-proxy CPU usage to confirm the improvement.

主な変更 (5)
  • IPv6 ServiceCIDRs with 64-bit prefixes were allocating addresses outside the valid subnet range — now fixed
  • Scheduler could accumulate unbounded in-flight event state when a pod with the same name replaced a failed scheduling attempt, causing memory growth
  • Windows L2Bridge networks: stale HNS endpoints from reused pod IPs caused DNS timeouts by routing traffic to wrong nodes
  • kube-proxy no longer triggers unnecessary full-sync operations in large clusters (1000+ endpoints)
  • kubeadm init now uses LocalAPIEndpoint in kubeconfigs during bootstrap, avoiding failures with delayed load balancers; etcd health check now uses quorum logic instead of requiring all members healthy
原文
古い →