RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年3月解除 ×

etcd

Kubernetes Core2026年3月20日

日本語 準備中etcd v3.6.9 is a maintenance release. The release notes are sparse — check the full CHANGELOG for the actual diff before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.6.9 contain no change details. Before upgrading any etcd cluster, pull up CHANGELOG-3.6.md directly and diff the entries since your current version. The 3.6 series has known breaking changes, and skipping this step on a stateful system like etcd is a real risk.

  • enhancementVerify container image source if you pull from quay.io

    etcd's primary registry is gcr.io/etcd-development/etcd. If your pipelines pull from quay.io/coreos/etcd, confirm that image is current and matches the gcr.io digest. Secondary registries can lag. Pin by digest, not just tag, to avoid silent version mismatches.

主な変更 (4)
  • Release notes do not enumerate specific changes; full details are in the CHANGELOG-3.6.md
  • Upgrade guide should be reviewed prior to upgrading due to potential breaking changes in the 3.6 series
  • Primary container image available via gcr.io/etcd-development/etcd; quay.io/coreos/etcd remains the secondary registry
  • Supported platform matrix may have been updated — verify your architecture/OS combo before deploying
原文

etcd

Kubernetes Core2026年3月20日

日本語 準備中etcd v3.5.28 is a patch release in the 3.5 series. Release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.5.28 contain no actual change details. Before upgrading any etcd cluster, pull the full CHANGELOG-3.5.md from the etcd repo and review entries since your current version. Skipping this on a stateful system like etcd is a real risk.

  • enhancementStick to the primary container registry for pulls

    gcr.io/etcd-development/etcd is the authoritative image source. quay.io/coreos/etcd is secondary and may lag. If your cluster pulls from quay.io, verify the image digest matches the primary before deploying in production.

主な変更 (4)
  • Patch release in the 3.5 stable series
  • Full change details available only in the CHANGELOG-3.5.md, not surfaced in the release notes directly
  • Container images available via gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before deploying — breaking changes may be present
原文

etcd

Kubernetes Core2026年3月20日

日本語 準備中etcd v3.4.42 is a maintenance release on the 3.4 branch. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingCheck the upgrade guide even for patch releases

    The release explicitly calls out that breaking changes may exist. On a 3.4.x patch bump this is unlikely but not impossible — particularly around snapshot or WAL handling. Verify the upgrade guide is clean for your version before rolling out to production clusters.

  • enhancementReview the full CHANGELOG before upgrading

    The release notes published here are essentially empty. Before applying this update to any environment, pull the CHANGELOG-3.4.md directly from the etcd repo to understand what bug fixes or patches are included. Blind upgrades on a critical consensus store are a bad idea.

主な変更 (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md
  • Upgrade guide should be reviewed for any breaking changes before applying
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
原文

Kubernetes

Kubernetes Core2026年3月19日

日本語 準備中v1.35.3 is a small patch with two kubeadm bug fixes and one DRA eviction status reporting cleanup. Low risk, safe to apply.

  • enhancementUpgrade kubeadm-managed clusters to fix etcd learner endpoint bug

    The etcd learner member fix is the most operationally relevant change here. If you use kubeadm and have experienced etcd client connectivity issues during node join/promotion operations, this patch addresses the root cause. Schedule an upgrade during your next maintenance window — no config changes required, just a kubeadm binary update.

  • enhancementkubeadm reset is more reliable on systems with peer mounts

    If your node reset automation was failing on environments where /var/lib/kubelet has peer mounts (common in certain container runtimes or nested mount configurations), this fix prevents those EINVAL errors from blocking the reset process. Worth upgrading if you've seen unexplained reset failures.

主な変更 (3)
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding spurious failures on reset
  • DRA device taint eviction controller fixes a misleading status message that double-counted pod evictions in intermediate states
原文

Kubernetes

Kubernetes Core2026年3月19日

日本語 準備中v1.34.6 is a minimal patch fixing two kubeadm bugs: etcd learner endpoints and a kubelet unmount error during cluster reset.

  • enhancementUpgrade if you run kubeadm-managed clusters with etcd membership changes

    The etcd learner fix matters any time you add etcd members — a learner node (not yet a voting member) being included in client endpoints could cause request failures during the promotion window. If you've seen intermittent etcd client errors during node additions, this patch resolves it. Otherwise, apply at your normal patch cadence.

  • enhancementUpgrade if kubeadm reset fails on your nodes

    The EINVAL unmount fix addresses a real pain point: kubeadm reset aborting mid-way when certain bind mounts under /var/lib/kubelet can't be cleanly unmounted. This tends to show up on nodes with overlapping mount namespaces or specific filesystem setups. If you've had to manually clean up after a failed reset, this patch removes that friction.

主な変更 (3)
  • kubeadm no longer adds etcd learner members to client endpoint lists, preventing potential routing errors during etcd membership changes
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, fixing failures on certain kernel/filesystem configurations
  • No dependency changes — this is a pure bug fix release
原文

Kubernetes

Kubernetes Core2026年3月19日

日本語 準備中v1.33.10 is a small patch fixing a kube-controller-manager nil pointer crash in ValidatingAdmissionPolicy and two kubeadm operational bugs. No dependency changes.

  • breakingPatch immediately if you use ValidatingAdmissionPolicy with open schemas

    Any ValidatingAdmissionPolicy referencing an object schema with `additionalProperties: true` will crash kube-controller-manager outright — not degrade gracefully. If you're running v1.33.x and using VAP, check your policies now. Upgrade to v1.33.10 before deploying any new policies with open schemas, or you risk taking down the controller manager.

  • enhancementkubeadm etcd learner fix matters for HA cluster joins

    When adding control plane nodes, etcd temporarily registers new members as learners. The previous behavior incorrectly included learner endpoints in the etcd client pool, which could cause client errors during promotion. If you run kubeadm-managed HA clusters and have experienced intermittent etcd client failures during control plane joins, this patch resolves it. Upgrade before your next control plane scaling operation.

  • enhancementkubeadm reset now handles stubborn bind mounts cleanly

    On nodes with bind-mounted /var/lib/kubelet directories, `kubeadm reset` previously failed with EINVAL during unmount, leaving cleanup incomplete. The fix silently ignores EINVAL — which is expected for peer mounts — so resets complete cleanly. Useful if you automate node decommissioning with kubeadm reset in scripts.

主な変更 (3)
  • ValidatingAdmissionPolicy: schemas with `additionalProperties: true` no longer crash kube-controller-manager with a nil pointer exception
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now gracefully handles EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding false failures
原文

Lima

Kubernetes Core2026年3月17日

日本語 準備中Lima v2.1.0 adds experimental macOS and FreeBSD guest support, renames the guest home directory path, and consolidates disk files — a release with real migration considerations alongside useful new features.

  • breakingDisk file consolidation means no downgrade path

    Once an instance runs under Lima v2.1, its disk format is incompatible with v2.0 and v1.x. Snapshot or back up critical VM instances before upgrading. If you manage shared Lima environments or CI pipelines that pin Lima versions, ensure all consumers upgrade together — you can't roll back individual instances.

  • breakingHardcoded paths to `/home/${USER}.linux` will break

    The guest home directory is now `/home/${USER}.guest`. A symlink covers the old path, so most things will keep working. However, any scripts, dotfiles, or tooling that hardcodes the `.linux` suffix — particularly in non-symlink-aware contexts like bind mounts or container volume paths — should be audited and updated.

  • enhancementUse `limactl shell --sync` for AI agent workflows

    If you're running AI coding agents (e.g., Claude Code, Aider) inside Lima shells, `--sync` prevents the agent from accidentally modifying host files by syncing the working directory into the guest context. Adopt this flag in any automation or agent harness that launches `limactl shell` — it's a low-friction safety net.

  • enhancementk3s template now supports multi-node clusters

    The built-in `k3s` template can now spin up multi-node clusters, which makes local Kubernetes testing significantly more realistic. If you've been working around this limitation with custom configs or alternative tools like Rancher Desktop, it's worth re-evaluating the native template.

主な変更 (6)
  • Experimental macOS and FreeBSD guest support via new templates (`template:macos`, `template:freebsd`)
  • Guest home directory renamed from `/home/${USER}.linux` to `/home/${USER}.guest`; old path symlinked for compatibility
  • `basedisk` + `diffdisk` consolidated into a single `disk` file — instances from v2.0/v1.x boot fine in v2.1, but not the reverse
  • New `limactl shell --sync` flag to isolate AI agent shell sessions from host filesystem
  • Host-to-guest time synchronization added in the hostagent; guestagent binary shrunk from 14MB to 6.1MB
  • QEMU is now the default hypervisor for non-native architectures
原文

Helm

Kubernetes Core2026年3月12日

日本語 準備中Helm v3.20.1 fixes two critical bugs affecting chart value handling and OCI registry operations that could cause deployment failures.

  • enhancementUpgrade immediately for value handling fixes

    This patch resolves two bugs that could break chart deployments. The nil value preservation fix prevents unexpected behavior when overriding chart defaults, while the OCI tag+digest fix enables proper chart pulling from registries using both identifiers. Test your existing charts after upgrading to ensure value overrides work as expected.

  • enhancementVerify OCI chart references work properly

    If you use OCI registries with tag+digest references (like `registry/chart:v1.0@sha256:abc123`), this release fixes previous 'invalid byte' errors. Update your CI/CD pipelines to use this version before relying on tag+digest combinations for chart immutability.

主な変更 (4)
  • Fixed nil value preservation bug when charts have empty maps or no defaults for keys
  • Resolved OCI reference failures with tag+digest causing 'invalid byte' errors
  • Updated Kubernetes dependencies to latest versions
  • Added support for pulling charts from OCI indices
原文

Helm

Kubernetes Core2026年3月11日

日本語 準備中Helm v4.1.3 patches multiple critical bugs affecting OCI registries, dry-run operations, and value handling that were causing deployments to fail or behave unpredictably in production environments.

  • breakingUpdate OCI registry workflows immediately

    If you use OCI registries that store both container images and Helm charts under the same tag, upgrade now. The previous bug caused complete pull failures. Test your chart pulls after upgrading to ensure compatibility with your registry setup.

  • enhancementReview autoscaling upgrade timeouts

    Upgrades now properly wait for cluster autoscalers and rolling updates instead of failing prematurely. Review your deployment pipelines and consider reducing any artificial delays you added to work around this issue. Monitor initial upgrades closely to verify improved behavior.

  • enhancementValidate dry-run operations with generateName

    Server-side dry-run now correctly handles generateName fields. If you've been avoiding dry-run validation for resources using generateName, re-enable it in your CI/CD pipelines. This improves pre-deployment validation coverage.

主な変更 (5)
  • Fixed dry-run server mode not respecting generateName, causing validation issues
  • Resolved OCI registry failures when pulling charts from mixed container/chart repositories
  • Fixed nil value preservation preventing proper chart defaults overrides
  • Corrected FailedStatus handling that caused premature upgrade failures during autoscaling
  • Eliminated YAML corruption from template whitespace trimming after post-rendering
原文

containerd

Kubernetes Core2026年3月10日

日本語 準備中containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

主な変更 (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
原文

CoreDNS

Kubernetes Core2026年3月6日

日本語 準備中CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

主な変更 (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
原文

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

主な変更 (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
原文

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.

  • breakingTest systemd workloads with user namespaces

    A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.

  • enhancementConfigure TLS settings for production security

    New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.

  • enhancementVerify runc v1.4.0 compatibility

    The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.

主な変更 (5)
  • Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
  • Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
  • Improved OCI artifact pull fallback logic to skip retries on retryable errors
  • Updated runc to v1.4.0 and multiple dependency versions for stability
  • Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options
原文

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.34.6 is a maintenance release with no functional changes, dependencies, or fixes - purely a version bump from v1.34.5.

  • enhancementSkip this release unless forced by policy

    This release contains zero functional changes. Stay on v1.34.5 unless your organization requires running the latest patch version for compliance reasons. Save the upgrade effort for a release that brings actual improvements.

主な変更 (4)
  • No code changes between v1.34.5 and v1.34.6
  • No dependency updates or removals
  • Release artifacts available for amd64, arm64, ppc64le, and s390x architectures
  • SBOM and signature verification support maintained
原文
月別に見る