RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Kubernetes

Kubernetes Core2026年5月12日

v1.33.12 is a focused patch release with four kubeadm bug fixes targeting cluster init reliability, etcd health checks, and RBAC hardening for kubelet API access.

  • securityRBAC isolation for kube-apiserver's kubelet client is now enforced

    The kube-apiserver now uses a dedicated ClusterRole 'system:kubelet-api-admin' for its kubelet client credentials. This tightens RBAC boundaries and reduces blast radius if credentials are ever misused. No immediate action required for existing clusters, but verify your RBAC audits reflect this role after upgrading kubeadm.

  • enhancementUpgrade kubeadm if you use external load balancers during cluster init

    Previously, kubeadm init would write kubeconfigs pointing at the load balancer endpoint, which fails when the LB isn't provisioned until after the first apiserver starts — a chicken-and-egg problem common with cloud providers. The fix makes init use the local API endpoint instead. If you've been working around this with retry scripts or manual kubeconfig edits, this patch removes the need for those hacks.

  • enhancementEtcd quorum-based health check prevents false failures in partially degraded clusters

    The old all-members health check would fail kubeadm operations if any etcd member was unhealthy, even when quorum was maintained. Now it only blocks when quorum is actually lost. If you run 3- or 5-node etcd clusters and have hit spurious kubeadm upgrade or join failures due to a single unhealthy member, this patch resolves that.

主な変更 (4)
  • kubeadm init now builds in-memory kubeconfigs pointing to localAPIEndpoint instead of controlPlaneEndpoint, fixing failures when load balancers aren't ready at init time
  • kubeadm join no longer attempts LocalAPIEndpoint defaulting on worker nodes, removing a source of join failures
  • kube-apiserver kubelet client now uses a dedicated ClusterRole 'system:kubelet-api-admin' instead of a shared role
  • etcd cluster health check now uses quorum-based evaluation — a degraded but quorum-holding cluster won't block kubeadm operations
原文

CRI-O

Kubernetes Core2026年5月5日

CRI-O v1.36.0 ships CNI health monitoring, configurable GOMAXPROCS injection, TLS hardening options, and a CVE fix — alongside a batch of race condition and cgroupv2 bug fixes.

  • securityPatch CVE-2026-35469 by upgrading to v1.36.0

    The spdystream dependency carried CVE-2026-35469. If you're running v1.35.x, this is a direct reason to upgrade. After upgrading, verify the release bundle with cosign against the signed bundle artifacts — the SLSA provenance and OpenVEX report are both available for this release.

  • breakingValidate CNI plugin behavior under new continuous health monitoring

    CRI-O now polls CNI plugins with STATUS after initial readiness. A plugin that was silently degraded will now actively set NetworkReady=false on the node, blocking pod scheduling. Before upgrading, confirm your CNI plugin properly implements the STATUS verb (Cilium, Calico, and Flannel do; older or custom plugins may not). Test in a non-production cluster first — this is a behavioral change that could surface latent CNI issues.

  • enhancementSet TLS minimums for the CRI-O API — don't leave defaults in production

    New `tls_min_version` and `tls_cipher_suites` options under `[crio.api]` let you enforce TLS 1.2+ and restrict weak cipher suites on the streaming and metrics endpoints. The default is TLS 1.2, but you should explicitly set `tls_min_version = TLS13` in security-sensitive environments and review your cipher suite policy. Update your configuration management (Ansible, SaltStack, etc.) to codify this before the next node rollout.

主な変更 (5)
  • CVE-2026-35469 patched via spdystream dependency update — upgrade immediately if you're on v1.35.x
  • CNI plugin health is now continuously monitored via STATUS verb; unhealthy plugins flip the node to NetworkReady=false and self-heal on recovery
  • New `min_injected_gomaxprocs` config option sets a floor for GOMAXPROCS injected into every container, useful for CPU-constrained workloads
  • TLS 1.2/1.3 and cipher suite configuration added to the `[crio.api]` section for streaming and metrics servers
  • Fixed v1.35.0 regression: systemd containers with user namespaces (hostUsers: false) were failing with 'Permission denied' on cgroup creation
原文

CRI-O

Kubernetes Core2026年5月5日

v1.35.3 patches CVE-2026-35469, fixes a container stop panic and exit-code race, adds CNI health monitoring (then reverts it), and introduces GOMAXPROCS floor injection for containers.

  • securityPatch CVE-2026-35469 by upgrading to v1.35.3

    The spdystream dependency had a vulnerability (CVE-2026-35469) fixed by bumping to moby/spdystream v0.5.1. If you're running v1.35.x, upgrade to v1.35.3 now. There's no workaround — the fix is only in the updated binary.

  • breakingCNI health monitoring was added and then reverted in the same release

    CRI-O briefly added continuous CNI plugin health checks using the STATUS verb, which would have marked nodes NetworkReady=false on plugin failures. It was reverted before this release shipped because it caused bootstrapping regressions. Net result: no behavior change for CNI in v1.35.3. But if you saw this feature in changelogs and planned for it, don't — it's gone and will likely return in a future release with fixes.

  • enhancementUse 'min_injected_gomaxprocs' to prevent CPU underutilization in containers with low CPU requests

    Containers with very low cpu.request values can end up with GOMAXPROCS=1, throttling Go-based workloads. The new 'min_injected_gomaxprocs' config field sets a floor so CRI-O injects max(floor, cpu.request) as GOMAXPROCS. This is particularly useful for Go-based sidecars or agents that are request-constrained but need threading headroom. Set this in your CRI-O config if you run Go workloads with conservative CPU requests.

主な変更 (6)
  • CVE-2026-35469 fixed via spdystream dependency bump from v0.5.0 to v0.5.1
  • Panic on concurrent StopContainer calls fixed — this was a real crash risk in high-churn environments
  • Exit code 255 race condition resolved for fast-exiting containers
  • New 'min_injected_gomaxprocs' config option sets a floor for GOMAXPROCS injected into every container
  • CNI health monitoring (STATUS verb polling) was added then immediately reverted due to node bootstrapping regressions — net effect is no CNI monitoring change in this release
  • New 'container_runtime_crio_default_runtime' metric exposes which runtime is configured on the node
原文

CRI-O

Kubernetes Core2026年5月5日

CRI-O v1.34.8 patches CVE-2026-35469 in the spdystream dependency and adds two operator-facing features: a new runtime metric and configurable GOMAXPROCS injection.

  • securityPatch CVE-2026-35469 — update to v1.34.8 now

    The spdystream library had a vulnerability fixed in this release. spdystream is used for streaming connections (exec, attach, port-forward), so exposure is real in any cluster. Upgrade CRI-O to v1.34.8 on all nodes. No config changes required — the fix is purely a dependency bump.

  • enhancementUse the new runtime metric to audit node configurations

    The `container_runtime_crio_default_runtime` metric lets you confirm — via your existing Prometheus stack — that every node is actually running the runtime you expect (e.g., runc vs. kata-containers). This is particularly useful in mixed-runtime clusters or after node image upgrades where config drift can go undetected. Add an alert for unexpected runtime values once you've upgraded.

  • enhancementEvaluate min_injected_gomaxprocs for CPU-constrained workloads

    If you run containers with very low cpu.request values (e.g., 0.1 cores), Go runtimes default to GOMAXPROCS=1, which can serialize work that should be parallel. Setting `min_injected_gomaxprocs` raises the floor so those containers get a more reasonable thread count. Be cautious on dense nodes: raising GOMAXPROCS across all containers increases goroutine scheduling overhead. Test with a non-Guaranteed workload first and watch CPU throttling metrics before rolling out cluster-wide.

主な変更 (4)
  • CVE-2026-35469 fixed by bumping moby/spdystream from v0.5.0 to v0.5.1
  • New `container_runtime_crio_default_runtime` metric exposes which container runtime is configured as default on each node
  • New `min_injected_gomaxprocs` config option sets a floor for GOMAXPROCS injected into every container CRI-O creates
  • GOMAXPROCS injection logic: CRI-O uses max(floor, cpu.request) except for Guaranteed QoS pods or partitioned workloads
原文

CRI-O

Kubernetes Core2026年5月5日

v1.33.12 patches CVE-2026-35469 via a spdystream dependency bump and adds a new min_injected_gomaxprocs option for controlling GOMAXPROCS floor in containers.

  • securityPatch CVE-2026-35469 — upgrade now

    The spdystream dependency update addresses CVE-2026-35469. Since spdystream handles HTTP/2 multiplexing in CRI-O's communication paths, any cluster running v1.33.x should move to v1.33.12 promptly. Check your vulnerability scanner results for this CVE and treat this as a routine security patch cycle rather than waiting for your next maintenance window.

  • enhancementUse min_injected_gomaxprocs to prevent CPU underutilization in Go workloads

    Go runtimes default GOMAXPROCS to the number of logical CPUs on the node, which causes goroutine scheduling inefficiency when containers have small cpu.request values. This new option lets you set a floor (e.g., 2 or 4) so containers don't get starved of OS threads. It only applies to Burstable and BestEffort pods — Guaranteed QoS pods and partitioned workloads are unaffected. Start by auditing Go-based workloads in your cluster that run with low cpu.request; set min_injected_gomaxprocs conservatively and monitor goroutine behavior before widening the floor.

主な変更 (4)
  • CVE-2026-35469 fixed by updating moby/spdystream from v0.5.0 to v0.5.1
  • New min_injected_gomaxprocs config option sets a GOMAXPROCS floor for all containers CRI-O creates
  • GOMAXPROCS injection logic: CRI-O injects max(floor, cpu.request), but only for non-Guaranteed QoS pods or partitioned workloads
  • Guaranteed QoS pods and partitioned workloads are excluded from the GOMAXPROCS injection behavior
原文

etcd

Kubernetes Core2026年5月1日

etcd v3.6.11 is a patch release. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the upgrade guide before patching

    The release explicitly warns of potential breaking changes in the 3.6 upgrade path. Don't treat this as a routine patch drop — pull the CHANGELOG-3.6.md and the upgrade guide, diff against your current version, and validate in a non-prod cluster first.

  • enhancementVerify container registry source in your pipelines

    etcd's primary registry is gcr.io, not Docker Hub or quay.io. If your CI/CD or Kubernetes manifests still pin quay.io/coreos/etcd, you're on the secondary mirror which may lag. Update image references to gcr.io/etcd-development/etcd to stay on the canonical source.

主な変更 (4)
  • No inline changelog provided; full details live in CHANGELOG-3.6.md
  • Upgrade guide should be reviewed before applying — breaking changes may exist in the 3.6 series
  • Primary container image served from gcr.io/etcd-development/etcd, with quay.io/coreos/etcd as fallback
  • Supported platform matrix updated — verify your OS/arch combo before deploying
原文

etcd

Kubernetes Core2026年5月1日

etcd v3.5.30 is a maintenance release in the 3.5 series. No release notes were published beyond pointers to the full changelog — check the CHANGELOG-3.5.md directly for specifics.

  • breakingRead the full CHANGELOG before upgrading

    The release announcement is intentionally sparse — it just points to CHANGELOG-3.5.md. Before upgrading any etcd cluster, pull up that changelog directly and review every entry since your current version. etcd upgrades in production clusters carry real risk; skipping the changelog review is how you get surprised by behavior changes or data format shifts.

  • enhancementStick to gcr.io as your primary image source

    The release explicitly lists gcr.io/etcd-development/etcd as primary and quay.io/coreos/etcd as secondary. If your deployment pipelines or air-gapped mirrors are still defaulting to quay.io, consider updating them to match the project's own priority — gcr.io tends to get images published first.

主な変更 (4)
  • No detailed release notes provided in this release announcement
  • Full change list available in CHANGELOG-3.5.md on the etcd GitHub repository
  • Upgrade guide should be reviewed before upgrading, as breaking changes may be present
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
原文

etcd

Kubernetes Core2026年5月1日

etcd v3.4.44 is a maintenance release on the 3.4 branch. Release notes are sparse — check the full CHANGELOG for the actual fix list before upgrading.

  • breakingReview CHANGELOG before upgrading — release notes are empty

    The published release notes contain no change summary. Before upgrading any production cluster, pull up CHANGELOG-3.4.md directly and diff against your current version. Skipping this step on a Kubernetes control plane means you could hit an undocumented behavioral change mid-upgrade.

  • enhancementStill on 3.4? Evaluate migration to 3.5

    3.4.x receives only critical fixes at this point. If you're running etcd as a Kubernetes backing store, now is a good time to plan a move to 3.5, which has a longer active support runway. Check Kubernetes version compatibility before scheduling the upgrade.

主な変更 (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md, not summarized in release notes
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before applying, as breaking changes may be present
原文

containerd

Kubernetes Core2026年4月30日

containerd 2.3.0 is the first LTS release under the new Kubernetes-aligned 4-month cadence, offering 2+ years of support with major NRI, EROFS, and observability improvements.

  • breakingRename NRI plugins with commas in their names before upgrading

    The new OCI hook owner accumulation logic uses commas as delimiters internally, so any NRI plugin whose name contains a comma will break. Audit your NRI plugin names now. If any contain commas, rename them before rolling out 2.3.0 — this affects both the plugin binary name and any configuration referencing it.

  • enhancementPlan your 1.7 → 2.3 LTS migration now

    This is the designated upgrade target from containerd 1.7 LTS. The project explicitly tests and supports direct sequential LTS-to-LTS upgrades. If you're still on 1.7, this is the right time to build a migration plan — 2.3 gets at least two years of support, making it the stable foundation for Kubernetes clusters through roughly 2027.

  • enhancementEnable trace propagation for better plugin and runtime observability

    OTel traces now flow through gRPC RPCs between containerd and its plugins, and trace IDs can be injected into log lines. If you run a distributed tracing stack (Jaeger, Tempo, etc.), configure the OTLP exporter in containerd's config and enable trace ID injection in logging. This closes a major gap where container lifecycle events were invisible to your tracing backend.

主な変更 (5)
  • First LTS release in the 2.x line — direct upgrade path from 1.7 LTS is tested and supported
  • NRI gets massive capability expansion: user/group IDs, seccomp policy, rlimits, sysctls, network devices, Intel RDT, and kernel scheduling policy now all passable to plugins
  • EROFS support matures with zstd-wrapped layers, dmverity integration, and native container image media types
  • OpenTelemetry traces now propagate through outgoing gRPC RPCs from plugin clients, with trace ID injection into logs
  • NRI breaking change: commas are no longer allowed in plugin names due to OCI hook owner accumulation logic
原文

containerd

Kubernetes Core2026年4月30日

containerd API v1.11.0 ships a new shim bootstrap protocol, container filesystem copy transfer types, and sandbox spec field support — aligning with the containerd 2.3 runtime release.

  • securitygRPC updated from v1.59.0 to v1.79.3 — multiple CVE fixes included

    A 20-minor-version jump in gRPC covers a significant span of security and stability fixes. If your environment pins or vendors gRPC separately, reconcile your dependency tree against v1.79.3. The golang.org/x/* packages also moved forward across the board, so a full dependency audit is warranted before deploying this API version in production.

  • breakingSandbox API: Container field removed, update any sandbox metadata consumers

    The Container field has been dropped from sandbox metadata and replaced with a spec field. If you have tooling, controllers, or custom runtimes that read or write sandbox metadata directly, audit them now. This is an API-level change — anything compiled against the old proto definitions will break at runtime when targeting containerd 2.3.

  • breakingShim bootstrap protocol is now protobuf — custom shim implementations need updating

    The new shim bootstrap protocol switches from JSON to protobuf and uses enums instead of strings for capabilities and log levels. If you maintain a custom shim or vendor the containerd API, you must update your bootstrap handling before deploying containerd 2.3. Third-party shims (e.g., kata-containers, nydus) likely need corresponding releases — check their compatibility before upgrading.

主な変更 (6)
  • New shim bootstrap protocol introduced: uses protobuf (not JSON), enums for capabilities/log levels, and includes containerd version at shim launch
  • Shim socket directory now uses the configured state directory instead of a hardcoded path
  • Transfer API gains new types for container filesystem copy operations
  • Sandbox API updated: Container field removed, spec field added to sandbox metadata
  • EROFS native container image support extended with os.features field in platform proto
  • gRPC dependency jumped from v1.59.0 to v1.79.3; protobuf toolchain migrated from protobuild to buf
原文

Kubernetes

Kubernetes Core2026年4月22日

Kubernetes v1.36 is a large release with multiple GA promotions, significant DRA expansions, new gang-scheduling APIs, and several metric renames that require immediate action before upgrading.

  • breakingUpdate monitoring before upgrading: two metric renames

    The metrics `volume_operation_total_errors` and `etcd_bookmark_counts` have been renamed to `volume_operation_errors_total` and `etcd_bookmark_total` respectively. Any Prometheus alerts or Grafana dashboards using the old names will silently stop firing after upgrade. Audit your monitoring stack and update all references before rolling out v1.36 to production.

  • breakingDRA RBAC changes required if using DRAResourceClaimGranularStatusAuthorization

    The `DRAResourceClaimGranularStatusAuthorization` feature gate is beta and on by default in v1.36. DRA schedulers and controllers now need explicit `update`/`patch` on `resourceclaims/binding`, and DRA drivers need `associated-node:update` or `arbitrary-node:update` on `resourceclaims/driver` scoped to their specific `resourceNames`. If you run DRA drivers, audit and update their RBAC manifests before upgrading, or pods will fail to schedule.

  • breakingflex-volume and git-repo volume plugin removals

    kubeadm no longer mounts the flex-volume plugin directory automatically, and the git-repo volume plugin is permanently disabled. If any workloads still use git-repo volumes, they will stop working — there's no flag to re-enable it. Migrate to an init container pattern or a CSI driver. For flex-volumes in kubeadm environments, you must manually configure extraVolumes and a non-distroless KCM image before upgrading to v1.36.

  • breakingStrictIPCIDRValidation on by default — check your IP/CIDR fields

    API fields now reject IPs with leading zeros (e.g., `010.0.0.1`) and CIDRs with host bits set (e.g., `192.168.1.5/24` instead of `192.168.1.0/24`). Existing objects are preserved via validation ratcheting, but new creates and updates will fail if they use these formats. Audit your manifests, Helm charts, and automation for non-canonical IP/CIDR values before upgrading.

  • enhancementMutatingAdmissionPolicy is now GA — consider replacing webhook boilerplate

    MutatingAdmissionPolicy (CEL-based mutation) is now v1 and enabled by default. If you're running simple mutating webhooks that set defaults or inject labels/annotations, this is a good time to evaluate replacing them with MutatingAdmissionPolicy resources. CEL-based policies eliminate the need to maintain webhook servers, certificates, and availability concerns. Start with low-risk, stateless mutations.

主な変更 (7)
  • Two metric renames require dashboard/alert updates before upgrade: `volume_operation_total_errors` → `volume_operation_errors_total` and `etcd_bookmark_counts` → `etcd_bookmark_total`
  • flex-volume support removed from kubeadm; git-repo volume plugin disabled permanently — migrate to CSI if still using either
  • DRA gets major expansions: device taints/tolerations to beta, DRAAdminAccess and DRAPrioritizedList to GA, new list-type attributes, NativeResourceMappings, and granular RBAC for ResourceClaim status updates now required
  • UserNamespacesSupport graduates to GA; MutatingAdmissionPolicy reaches GA (v1) and is enabled by default
  • StrictIPCIDRValidation is now on by default — API fields reject IPs/CIDRs with leading zeros or ambiguous subnet masks
  • New scheduling.k8s.io/v1alpha2 Workload/PodGroup APIs introduced for gang-scheduling; v1alpha1 Workload API removed
  • InPlacePodLevelResourcesVerticalScaling graduates to beta (on by default), enabling in-place CPU/memory resize at the pod level
原文

CoreDNS

Kubernetes Core2026年4月22日

CoreDNS v1.14.3 ships full TSIG verification across all transports, multiple Go security CVE fixes, cache prefetch improvements, and a new forward plugin max_age option — a solid operational hardening release.

  • securityUpgrade immediately for 13 Go CVE fixes and TSIG transport hardening

    Go 1.26.2 in this build addresses 13 CVEs. Beyond the runtime fixes, TSIG verification gaps in DoH, DoH3, QUIC, and gRPC transports are now closed — if you run any of those transports with TSIG, unauthenticated requests could previously slip through. Upgrade to v1.14.3 and verify your TSIG configurations are still valid after the stricter enforcement.

  • breakingDoH oversized GET requests are now rejected — validate your clients

    CoreDNS now rejects oversized dns query parameters in DoH GET requests. Any client sending unusually large DNS-over-HTTPS GET queries will start getting errors. Test your DoH clients against this build in staging before rolling out; most well-behaved clients are unaffected, but custom or non-standard DoH implementations should be checked.

  • enhancementUse max_age in the forward plugin to prevent stale upstream connections

    Long-lived upstream connections can silently degrade or get dropped by middleboxes. The new max_age option in the forward plugin lets you set an absolute connection lifetime. If you've seen sporadic upstream timeouts or resolution failures that resolve themselves, configure max_age to force periodic reconnection — start with something like 30s–5m depending on your upstream stability.

主な変更 (5)
  • Full TSIG verification now enforced on DoH, DoH3, QUIC, and gRPC transports — previously these transports lacked complete verification
  • Built with Go 1.26.2, patching 13 CVEs including CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, and others
  • Cache prefetching reworked to release client connections before fetching upstream, preventing connection exhaustion under load
  • New max_age option in the forward plugin enforces absolute connection lifetime, helping with stale upstream connection issues
  • Metrics endpoint now supports optional TLS, and Go runtime metrics can be selectively exported
原文

Kubernetes

Kubernetes Core2026年4月15日

v1.33.11 is a targeted patch fixing two networking bugs — apiserver startup failures with MultiCIDRServiceAllocator and kube-proxy nftables breakage on nft 1.1.3 — plus a Go 1.25.9 compiler bump.

  • breakingUpgrade now if using MultiCIDRServiceAllocator with large clusters

    If you have MultiCIDRServiceAllocator enabled and a large namespace count, apiserver can fail to start during an upgrade — it was hitting Forbidden errors from admission plugins that weren't ready yet and not retrying. This patch makes that retry happen. If you've been deferring upgrades to 1.33 because of this, you're now unblocked. Check your apiserver logs for 'Forbidden' errors from the IP repair controller as a diagnostic signal.

  • breakingkube-proxy nftables mode is broken on nft 1.1.3 — patch immediately

    Systems running nft 1.1.3 (which ships in some recent distro releases) will have silently broken kube-proxy nftables mode. Traffic may appear to work at first but rule updates won't apply correctly. If your nodes run nft 1.1.3, either pin to an older nft version as a workaround or — better — upgrade to this patch release. Run 'nft --version' on your nodes to check.

  • enhancementOTel dependency jump to v1.41.0 — validate your observability pipeline

    The OpenTelemetry Go SDK went from v1.33.0 to v1.41.0 in this patch, which is a substantial version range. If you're consuming Kubernetes telemetry data or running sidecars that interact with the OTel SDK, verify compatibility with your collectors and backends after upgrading. No functional changes are documented for Kubernetes itself, but the jump is large enough to warrant a smoke test of your tracing and metrics pipelines in a non-prod environment first.

主な変更 (5)
  • Go compiler updated to 1.25.9 (security and runtime improvements baked in)
  • Fixed apiserver startup crash during upgrades when MultiCIDRServiceAllocator is enabled in clusters with many namespaces — the IP repair controller now retries on Forbidden errors from not-yet-ready admission plugins
  • Fixed kube-proxy nftables mode compatibility with nft 1.1.3, which was silently broken
  • OpenTelemetry dependencies bumped from v1.33.0 to v1.41.0 — a large jump for observability consumers
  • knftables library updated from v0.0.17 to v0.0.21, directly tied to the nftables fix
原文

Kubernetes

Kubernetes Core2026年4月15日

v1.34.7 is a focused patch release fixing two regressions — audit log latency annotations and nftables kube-proxy compatibility — plus a Go 1.25.9 rebuild.

  • breakingAudit log latency data was silently missing — patch if you rely on it

    Any 1.34.x cluster prior to this patch has been dropping the request latency annotation from audit logs whenever a request exceeded 500ms. If your security or compliance tooling parses these annotations for SLO tracking or anomaly detection, your data has gaps. Upgrade to v1.34.7 and consider whether historical audit logs need to be flagged as incomplete for that window.

  • breakingnftables kube-proxy is broken on nft 1.1.3 — don't skip this patch

    Clusters running kube-proxy in nftables mode on nodes with nft 1.1.3 (common in newer distros like Fedora 42 or Ubuntu 25.04) have non-functional networking. This isn't a performance issue — it's a hard failure. Either pin nft to an older version as a workaround or upgrade to v1.34.7 immediately. The fix is in the knftables library bump (v0.0.17 → v0.0.21).

  • enhancementOTel dependency jump to v1.41.0 — verify your tracing integrations

    The OpenTelemetry Go packages moved from v1.35.0 to v1.41.0, which is a substantial jump. If you have custom instrumentation or sidecars that interact with Kubernetes' OTel spans, test in staging first. The change is backward-compatible in the API but internal behavior around span propagation and metric collection has evolved.

主な変更 (5)
  • Rebuilt with Go 1.25.9, picking up upstream language and runtime fixes
  • Fixed 1.34+ regression where audit log was missing request latency annotations for requests over 500ms
  • Fixed kube-proxy nftables mode broken on systems running nft 1.1.3
  • Fixed device plugin test failures after kubelet restart (test stability, not a runtime bug)
  • OpenTelemetry dependencies bumped from v1.35.0 to v1.41.0 across otel, metric, and trace packages
原文

Kubernetes

Kubernetes Core2026年4月15日

v1.35.4 is a focused patch fixing five real-world bugs: sidecar container restart failure, StatefulSet parallel scaling regression, kube-proxy nftables breakage, and audit log latency annotation errors.

  • breakingCheck StatefulSet workloads if you rely on MaxUnavailable rolling behavior

    The MaxUnavailableStatefulSet feature gate is now disabled by default in 1.35.4, reversing behavior introduced earlier in 1.35. If you upgraded to 1.35.x expecting parallel pod management with maxUnavailable, that behavior is gone until the feature stabilizes. Audit your StatefulSet specs: if you set maxUnavailable, it will be silently ignored. Plan accordingly before upgrading, and watch for the gate to re-enable in a future minor.

  • breakingSidecar + startupProbe combination was silently broken — upgrade promptly

    Any pod using an initContainer with restartPolicy: Always alongside a startupProbe would silently fail to restart crashed containers after a kubelet restart, showing RestartCount: 0 forever. This affects production workloads relying on sidecars (e.g., service mesh proxies, log shippers). If you've seen pods stuck in this state, upgrading to 1.35.4 and then manually deleting/recreating affected pods is the remediation path.

  • enhancementUpgrade kube-proxy if running nft 1.1.3 on nodes

    Systems with nft (nftables) version 1.1.3 were broken in kube-proxy's nftables mode. This is a quiet but hard failure — networking simply doesn't work. If you're on newer distros shipping nft 1.1.3 (some recent Debian/Ubuntu variants), prioritize this patch upgrade for your node components.

主な変更 (5)
  • StatefulSet regression fix: MaxUnavailableStatefulSet feature disabled by default to restore stable parallel pod management behavior from pre-1.35
  • Sidecar container bug: pods with initContainers (restartPolicy: Always) and startupProbes no longer get stuck at RestartCount: 0 after kubelet restarts
  • kube-proxy nftables mode now works correctly on systems running nft 1.1.3
  • Audit log fix: apiserver request latency annotation now correctly reported for requests exceeding 500ms (regression since 1.34)
  • Built with Go 1.25.9; OpenTelemetry libraries bumped to v1.41.0
原文

containerd

Kubernetes Core2026年4月14日

containerd v2.2.3 patches CVE-2026-35469 in spdystream and fixes several bugs including whiteout handling in parallel unpacks, TOCTOU race in tar extraction, and Go 1.24 symlink regressions.

  • securityPatch CVE-2026-35469: upgrade to v2.2.3 now

    CVE-2026-35469 affects moby/spdystream, which containerd uses for streaming connections. The fix is in spdystream v0.5.1, bundled in this release. If you're running any 2.2.x version, treat this as a mandatory upgrade — don't wait for your next maintenance window.

  • breakingParallel unpack whiteout bug could mean corrupted layer state — verify images

    A bug caused whiteout files (which signal file deletions between layers) to be ignored when parallel unpack was enabled. If you've been using parallel unpack with overlayfs, layer deletion semantics may not have applied correctly. After upgrading, re-pull any images that were unpacked in parallel to ensure their layer state is consistent.

  • enhancementGo 1.24 users on NixOS or symlink-heavy rootfs: this fixes your container startup failures

    Absolute symlink handling in rootfs user/group lookups regressed with Go 1.24. This affected systems where /etc/passwd or /etc/group are symlinks (common on NixOS-style setups). If you've seen user lookup failures or container start errors after moving to Go 1.24-built binaries, upgrading to v2.2.3 resolves this.

主な変更 (5)
  • Security patch for CVE-2026-35469 via spdystream upgrade to v0.5.1
  • Fixed whiteouts being silently ignored during parallel unpack — critical for image correctness
  • TOCTOU race condition hardened in tar extraction path
  • runc updated to v1.3.5
  • Absolute symlink resolution fixed for /etc/passwd and /etc/group lookups, addressing Go 1.24 regressions on NixOS-style and similar systems
原文

containerd

Kubernetes Core2026年4月14日

containerd 2.0.8 patches CVE-2026-35469 in spdystream, fixes a credential leak in CRI error messages, and resolves a CNI DEL lifecycle bug after containerd restarts.

  • securityPatch CVE-2026-35469 by upgrading to 2.0.8 now

    CVE-2026-35469 lives in the moby/spdystream dependency. Details are in a GitHub security advisory. If you're running containerd 2.0.x in any cluster, upgrade to 2.0.8 — this is the primary reason for the release. Don't wait for your next maintenance window if the advisory turns out to be high severity.

  • securityCheck your pod event logs for past credential exposure

    Before this fix, registry credentials or other secrets embedded in URLs could appear in plaintext inside CRI gRPC error messages and pod events. If you're shipping pod events to a logging backend (Datadog, Splunk, ELK, etc.), audit recent logs for query parameters that shouldn't be there. Going forward, 2.0.8 redacts these before they leave containerd.

  • breakingValidate CNI network cleanup works correctly after upgrading

    The CNI DEL bug meant network namespaces and CNI plugin state weren't cleaned up when a pod was deleted after a containerd restart. This could leave stale network state on nodes. After upgrading to 2.0.8, verify that pod deletion properly invokes CNI DEL — especially on nodes that have experienced containerd restarts. If you've noticed orphaned network interfaces or IP allocation issues, this fix is the likely culprit.

主な変更 (5)
  • CVE-2026-35469: spdystream updated from v0.4.0 to v0.5.1 to address the vulnerability
  • CRI error sanitization: gRPC errors and query parameters are now redacted before returning to callers, preventing credential exposure in pod events
  • CNI DEL fix: network teardown was silently skipped after a containerd restart — this is now corrected
  • SELinux library updated to v1.13.1 (opencontainers/selinux)
  • Go toolchain updated to 1.25.9 / 1.26.2
原文

containerd

Kubernetes Core2026年4月14日

containerd 2.1.7 patches CVE-2026-35469 in spdystream and ships several hardening fixes including credential leak prevention via gRPC and a TOCTOU race in tar extraction.

  • securityPatch CVE-2026-35469 by upgrading to 2.1.7 now

    CVE-2026-35469 in moby/spdystream is fixed in this release. spdystream is used in the CRI streaming path, so any cluster running Kubernetes workloads with exec/attach/port-forward is potentially exposed. Upgrade containerd to 2.1.7 on all nodes. No config changes needed, just a binary swap and daemon restart.

  • securityCredential leak via gRPC pod events is now closed

    Before this fix, raw errors containing registry credentials could surface in pod events visible to namespace-scoped users. If your clusters allow broad pod event access, assume credentials may have been exposed in logs or event streams. Rotate any registry pull secrets used on affected clusters, then upgrade to 2.1.7 to prevent recurrence.

  • enhancementCNI DEL fix prevents IP/resource leaks after restarts

    A bug meant CNI DEL was never called for sandboxes cleaned up after a containerd restart, leaking network resources. If you've seen stale IPs or CNI state after node restarts, this is likely why. Upgrade to 2.1.7 and consider draining nodes before restarting containerd to clear any existing leaked state.

主な変更 (5)
  • CVE-2026-35469 patched via spdystream upgrade to v0.5.1
  • gRPC error sanitization prevents credential leaks in pod events
  • TOCTOU race condition fixed in tar extraction
  • CNI DEL now executes correctly after containerd restart
  • runc updated to v1.3.5; read-only bind-mount flags preserved in user namespaces
原文

containerd

Kubernetes Core2026年4月14日

v1.7.31 patches CVE-2026-35469 in spdystream, fixes a CNI DEL regression after restarts, and closes a credential leak in pod events via gRPC error sanitization.

  • securityPatch CVE-2026-35469 by upgrading to v1.7.31 now

    CVE-2026-35469 affects the moby/spdystream library used for SPDY multiplexing. The fix is in spdystream v0.5.1, bundled here. If you're running any 1.7.x release prior to this, upgrade immediately — especially on clusters where the CRI streaming server is exposed or where kubectl exec/attach/port-forward traffic flows through containerd.

  • securityAudit pod event logs for previously leaked credentials

    A bug caused raw error messages — potentially containing registry credentials — to be returned over gRPC and surface in pod events. After upgrading, review historical pod event logs (kubectl get events, or your log aggregation system) for any entries containing auth tokens, passwords, or image pull secrets from before this fix was applied. Rotate any credentials you find.

  • breakingVerify CNI network teardown is working correctly after upgrade

    The CNI DEL fix means containers that previously left behind stale network state after a containerd restart will now properly clean up. This is the right behavior, but if you have automation or scripts that assumed CNI DEL was idempotent-by-absence (i.e., expected cleanup to be skipped), test those workflows. Nodes with a history of unclean restarts may see cleanup activity on first pod deletion post-upgrade.

主な変更 (5)
  • CVE-2026-35469: spdystream updated from v0.2.0 to v0.5.1 to address the vulnerability
  • CNI DEL now correctly executes after a containerd restart — previously orphaned network teardowns were silently skipped
  • gRPC error paths sanitized to prevent registry credentials from leaking into pod events
  • runc binary bumped to v1.3.5
  • TOCTOU race bug fixed in tar extraction
原文

Helm

Kubernetes Core2026年4月9日

Security-only patch fixing a path traversal vulnerability in chart extraction. Upgrade immediately if you pull charts from untrusted sources.

  • securityPatch a chart extraction path traversal — upgrade now

    A crafted Chart.yaml using dot-segments (e.g., '..') in the chart name could cause Helm to write files outside the intended extraction directory. This is a classic directory traversal attack vector. If your pipelines pull charts from public repos, third-party registries, or any source you don't fully control, treat this as critical and upgrade to v3.20.2 today. Teams operating fully air-gapped with only internally authored charts have lower immediate risk, but should still upgrade on the next maintenance window.

主な変更 (3)
  • GHSA-hr2v-4r36-88hr patched: malicious Chart.yaml with dot-segment names could collapse output directory paths during chart extraction
  • No functional changes — purely a security fix
  • Next patch releases (4.1.5 / 3.20.3) scheduled for April 8, 2026
原文

Helm

Kubernetes Core2026年4月9日

Helm v4.1.4 is a security-only patch fixing three vulnerabilities: chart extraction path traversal, plugin signature bypass, and plugin version path traversal enabling arbitrary file writes.

  • securityUpgrade immediately — all three CVEs are exploitable via untrusted input

    Two of these bugs (chart extraction collapse and plugin version path traversal) allow writing files to arbitrary locations on the filesystem. The third lets anyone install an unsigned plugin if they control the distribution channel. If your CI/CD pipeline pulls charts or plugins from external or semi-trusted sources, you are exposed on any Helm version before this patch. Upgrade to v4.1.4 (or v3.20.3 when released April 8) now. Don't wait for a maintenance window.

  • securityAudit your plugin sources before upgrading — unsigned plugins may have slipped through

    The provenance bypass (GHSA-q5jf-9vfq-h4h7) means any Helm installation that had plugin verification enabled could still have installed unsigned plugins if the .prov file was simply absent. Before upgrading, audit installed plugins with 'helm plugin list' and verify their origins manually. After upgrading, reinstall any plugins from official sources to ensure provenance is properly checked.

  • enhancementPin Helm in CI to this exact version now

    If you use a floating version reference like 'latest' or a minor-pinned tag in your CI pipeline, update it to v4.1.4 explicitly. The Helm team also pinned the CodeQL action to a commit SHA in this release — a good reminder to apply the same discipline to your own toolchain dependencies.

主な変更 (4)
  • GHSA-hr2v-4r36-88hr: Malicious Chart.yaml names using dot-segments could collapse extraction paths outside intended directories
  • GHSA-q5jf-9vfq-h4h7: Missing .prov file caused plugin verification to fail open, allowing unsigned plugins to install silently
  • GHSA-vmx8-mqv2-9gmg: Plugin metadata version field accepted path traversal sequences, enabling arbitrary file writes outside the Helm plugin directory
  • No feature changes or behavioral additions — pure security fixes
原文

Lima

Kubernetes Core2026年4月3日

Lima v2.1.1 is a focused patch release adding Windows binary artifacts and fixing a handful of edge-case bugs, with an important bundled nerdctl security update.

  • securityUpdate nerdctl distribution for BuildKit and CNI security fixes

    The bundled nerdctl was bumped from v2.2.1 to v2.2.2, which updates BuildKit to 0.28.1 and CNI plugins to 1.9.1. Both upstream releases include security patches. If you use Lima's nerdctl template for container workloads, upgrade to v2.1.1 promptly and check the BuildKit and CNI plugin release notes to assess CVE impact for your environment.

  • enhancementWindows users can now consume official Lima binaries

    Lima v2.1.1 ships pre-built Windows artifacts for the first time. If your team has Windows developers using Lima (e.g., via WSL2), point them at the official release binaries rather than maintaining custom builds. This simplifies onboarding and keeps everyone on a verified, reproducible build.

  • enhancementFix UID range issues for enterprise/LDAP-managed macOS users

    macOS guests now accept UIDs outside the conventional range. If any users in your org run Lima on corporate-managed Macs with directory-assigned UIDs (common with LDAP or Active Directory integration), this fixes silent failures that were hard to diagnose. No config change needed — just upgrade.

主な変更 (5)
  • Windows binary artifacts now shipped with official releases — no more building from source on Windows
  • macOS guest: unusual UID ranges (outside typical 500–32000) are now accepted, fixing failures for some corporate directory setups
  • Virtualization Framework (vz): `audio.device=none` is now correctly respected instead of being silently ignored
  • nerdctl bumped to v2.2.2, pulling in BuildKit 0.28.1 and CNI plugins 1.9.1 — both carry security fixes
  • AlmaLinux Kitten 10 template gains riscv64 support
原文

CRI-O

Kubernetes Core2026年4月2日

v1.33.11 is a maintenance patch with no code changes or dependency updates — purely a rebuild/re-release against the v1.33.10 baseline.

  • enhancementSkip this upgrade if you're already on v1.33.10

    There are zero functional or security changes here. If your nodes are running v1.33.10 without issues, there's no practical reason to roll this out. Watch for v1.33.12 or a patch with actual fixes before scheduling maintenance windows.

  • enhancementUse SBOM and cosign artifacts for supply chain verification

    Every build ships SPDX SBOMs and cosign bundle files. If your org has supply chain security requirements, integrate cosign verification into your upgrade pipeline now — this is a low-risk release to test that workflow against before a more impactful update arrives.

主な変更 (4)
  • No code changes between v1.33.10 and v1.33.11
  • No dependency additions, updates, or removals
  • Release artifacts available for amd64, arm64, ppc64le, and s390x
  • SPDX SBOMs and cosign signatures provided for all artifacts
原文

CRI-O

Kubernetes Core2026年4月2日

CRI-O v1.35.2 is a focused bug-fix patch addressing image pull credential verification, metrics reporting gaps, and OCI artifact store contamination issues.

  • breakingVerify credential provider workflows after upgrading

    The PullImage fix changes what gets returned during image pulls. If you use Kubernetes credential provider plugins or have automation that validates image pull behavior, test those flows before rolling this to production. The old behavior could silently bypass credential checks in edge cases.

  • enhancementAudit your metrics pipelines — you may have been missing data

    The metrics bug means any cluster running v1.35.x before this patch was likely returning incomplete metrics when 'all' was set. After upgrading, expect metric cardinality to increase. Check dashboards and alerting thresholds — a spike in metrics volume is expected and correct, not a problem.

  • enhancementUse additional_artifact_stores for air-gapped or mirrored artifact setups

    If you run air-gapped clusters or internal artifact mirrors, the new 'additional_artifact_stores' option lets you configure multiple read-only sources without hacking around existing config. Pair this with the pinned_images fix to ensure pinned artifacts are pulled from the right store consistently.

主な変更 (5)
  • PullImage now returns the image ID directly, fixing Kubernetes credential verification compatibility
  • Metrics endpoint now returns all metrics when 'all' is configured — previously silently incomplete
  • Regular container images can no longer accidentally land in the OCI artifact store
  • pinned_images configuration now applies consistently to artifact store images, not just regular containers
  • New 'additional_artifact_stores' config option for adding read-only artifact store sources
原文

CRI-O

Kubernetes Core2026年4月2日

CRI-O v1.34.7 is a patch release with no code changes or dependency updates from v1.34.6 — essentially a rebuild or release process artifact.

  • enhancementSafe to skip unless you need the rebuild

    This release carries zero functional or security changes. If you're already on v1.34.6, there's no operational reason to upgrade immediately. That said, if your pipeline requires the latest patch tag for compliance or artifact provenance reasons, the SPDX SBOM and cosign bundles are all present and accounted for.

主な変更 (4)
  • No code changes between v1.34.6 and v1.34.7
  • No dependency additions, updates, or removals
  • Artifacts available for amd64, arm64, ppc64le, and s390x
  • SBOM (SPDX format) and cosign signature bundles provided for all architectures
原文

etcd

Kubernetes Core2026年4月1日

etcd v3.6.10 is a patch release in the 3.6 series. Release notes are minimal — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the upgrade guide before rolling this out

    The release explicitly warns of potential breaking changes in v3.6. Before upgrading any cluster, check the official upgrade guide for v3.6 and review the full CHANGELOG-3.6.md. Don't treat this as a routine drop-in patch without that review.

  • enhancementPrefer gcr.io images over quay.io for production pulls

    etcd now designates gcr.io/etcd-development/etcd as the primary registry and quay.io/coreos/etcd as secondary. If your image pull policy or air-gapped mirror config still points primarily to quay.io, update it to reduce dependency on a secondary source.

主な変更 (4)
  • Patch release in the 3.6 series with fixes detailed in the full CHANGELOG
  • Upgrade guide should be reviewed before deploying, as breaking changes may exist
  • Container images available on gcr.io (primary) and quay.io (secondary)
  • Supported platform matrix updated — verify your architecture/OS is still covered
原文

etcd

Kubernetes Core2026年4月1日

etcd v3.5.29 is a maintenance release on the 3.5 branch with no detailed changelog published in the release notes themselves.

  • securityVerify container image source after upgrade

    If you pull etcd images in CI/CD pipelines, confirm you're pointing to gcr.io/etcd-development/etcd as the primary registry. The quay.io mirror is secondary and may lag. Pin to the exact digest rather than the floating tag to avoid supply chain risk.

  • breakingReview the official upgrade guide even for patch releases

    The release explicitly calls out that breaking changes may exist even in 3.5.x patch versions. Don't skip the upgrade guide. Test in a staging environment first, especially if you're running etcd as the backing store for Kubernetes — a botched etcd upgrade can take down your entire control plane.

  • enhancementCheck CHANGELOG-3.5.md before upgrading

    The release notes here are skeletal — no specific fixes or changes are listed. Before upgrading any etcd cluster, pull up CHANGELOG-3.5.md on the etcd GitHub repo and filter for v3.5.29 entries. Patch releases on 3.5 typically carry bug fixes and CVE patches that aren't always obvious from the version bump alone.

主な変更 (4)
  • Maintenance/patch release on the stable 3.5 branch
  • Full change details require consulting the CHANGELOG-3.5.md directly
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before upgrading due to potential breaking changes
原文

etcd

Kubernetes Core2026年4月1日

etcd v3.4.43 is a maintenance release on the 3.4 branch. Release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingAlways consult the upgrade guide on 3.4 patch bumps

    Even on patch releases, the etcd team occasionally introduces subtle behavioral changes or deprecations. The official upgrade guide for v3.4 should be checked — don't assume a patch bump is always safe to apply without review, especially in etcd's case given its role as a control plane data store.

  • enhancementReview CHANGELOG before upgrading

    The release notes themselves contain no inline change details. Before upgrading, pull up CHANGELOG-3.4.md directly and diff against your current version. 3.4.x patches typically carry bug fixes and CVE backports, so skipping the review risks missing a relevant fix or behavioral change.

主な変更 (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md, not inline in release notes
  • Primary container image hosted on gcr.io/etcd-development/etcd; quay.io/coreos/etcd is secondary
  • Upgrade guide should be reviewed prior to deployment
原文

etcd

Kubernetes Core2026年3月20日

etcd v3.6.9 is a maintenance release. The release notes are sparse — check the full CHANGELOG for the actual diff before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.6.9 contain no change details. Before upgrading any etcd cluster, pull up CHANGELOG-3.6.md directly and diff the entries since your current version. The 3.6 series has known breaking changes, and skipping this step on a stateful system like etcd is a real risk.

  • enhancementVerify container image source if you pull from quay.io

    etcd's primary registry is gcr.io/etcd-development/etcd. If your pipelines pull from quay.io/coreos/etcd, confirm that image is current and matches the gcr.io digest. Secondary registries can lag. Pin by digest, not just tag, to avoid silent version mismatches.

主な変更 (4)
  • Release notes do not enumerate specific changes; full details are in the CHANGELOG-3.6.md
  • Upgrade guide should be reviewed prior to upgrading due to potential breaking changes in the 3.6 series
  • Primary container image available via gcr.io/etcd-development/etcd; quay.io/coreos/etcd remains the secondary registry
  • Supported platform matrix may have been updated — verify your architecture/OS combo before deploying
原文

etcd

Kubernetes Core2026年3月20日

etcd v3.5.28 is a patch release in the 3.5 series. Release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the CHANGELOG before upgrading — release notes are incomplete

    The published release notes for v3.5.28 contain no actual change details. Before upgrading any etcd cluster, pull the full CHANGELOG-3.5.md from the etcd repo and review entries since your current version. Skipping this on a stateful system like etcd is a real risk.

  • enhancementStick to the primary container registry for pulls

    gcr.io/etcd-development/etcd is the authoritative image source. quay.io/coreos/etcd is secondary and may lag. If your cluster pulls from quay.io, verify the image digest matches the primary before deploying in production.

主な変更 (4)
  • Patch release in the 3.5 stable series
  • Full change details available only in the CHANGELOG-3.5.md, not surfaced in the release notes directly
  • Container images available via gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
  • Upgrade guide should be reviewed before deploying — breaking changes may be present
原文

etcd

Kubernetes Core2026年3月20日

etcd v3.4.42 is a maintenance release on the 3.4 branch. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingCheck the upgrade guide even for patch releases

    The release explicitly calls out that breaking changes may exist. On a 3.4.x patch bump this is unlikely but not impossible — particularly around snapshot or WAL handling. Verify the upgrade guide is clean for your version before rolling out to production clusters.

  • enhancementReview the full CHANGELOG before upgrading

    The release notes published here are essentially empty. Before applying this update to any environment, pull the CHANGELOG-3.4.md directly from the etcd repo to understand what bug fixes or patches are included. Blind upgrades on a critical consensus store are a bad idea.

主な変更 (4)
  • Maintenance release on the 3.4.x stable branch
  • Full change details available only in the CHANGELOG-3.4.md
  • Upgrade guide should be reviewed for any breaking changes before applying
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
原文

Kubernetes

Kubernetes Core2026年3月19日

v1.35.3 is a small patch with two kubeadm bug fixes and one DRA eviction status reporting cleanup. Low risk, safe to apply.

  • enhancementUpgrade kubeadm-managed clusters to fix etcd learner endpoint bug

    The etcd learner member fix is the most operationally relevant change here. If you use kubeadm and have experienced etcd client connectivity issues during node join/promotion operations, this patch addresses the root cause. Schedule an upgrade during your next maintenance window — no config changes required, just a kubeadm binary update.

  • enhancementkubeadm reset is more reliable on systems with peer mounts

    If your node reset automation was failing on environments where /var/lib/kubelet has peer mounts (common in certain container runtimes or nested mount configurations), this fix prevents those EINVAL errors from blocking the reset process. Worth upgrading if you've seen unexplained reset failures.

主な変更 (3)
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding spurious failures on reset
  • DRA device taint eviction controller fixes a misleading status message that double-counted pod evictions in intermediate states
原文

Kubernetes

Kubernetes Core2026年3月19日

v1.34.6 is a minimal patch fixing two kubeadm bugs: etcd learner endpoints and a kubelet unmount error during cluster reset.

  • enhancementUpgrade if you run kubeadm-managed clusters with etcd membership changes

    The etcd learner fix matters any time you add etcd members — a learner node (not yet a voting member) being included in client endpoints could cause request failures during the promotion window. If you've seen intermittent etcd client errors during node additions, this patch resolves it. Otherwise, apply at your normal patch cadence.

  • enhancementUpgrade if kubeadm reset fails on your nodes

    The EINVAL unmount fix addresses a real pain point: kubeadm reset aborting mid-way when certain bind mounts under /var/lib/kubelet can't be cleanly unmounted. This tends to show up on nodes with overlapping mount namespaces or specific filesystem setups. If you've had to manually clean up after a failed reset, this patch removes that friction.

主な変更 (3)
  • kubeadm no longer adds etcd learner members to client endpoint lists, preventing potential routing errors during etcd membership changes
  • kubeadm reset now ignores EINVAL errors when unmounting /var/lib/kubelet peer mounts, fixing failures on certain kernel/filesystem configurations
  • No dependency changes — this is a pure bug fix release
原文

Kubernetes

Kubernetes Core2026年3月19日

v1.33.10 is a small patch fixing a kube-controller-manager nil pointer crash in ValidatingAdmissionPolicy and two kubeadm operational bugs. No dependency changes.

  • breakingPatch immediately if you use ValidatingAdmissionPolicy with open schemas

    Any ValidatingAdmissionPolicy referencing an object schema with `additionalProperties: true` will crash kube-controller-manager outright — not degrade gracefully. If you're running v1.33.x and using VAP, check your policies now. Upgrade to v1.33.10 before deploying any new policies with open schemas, or you risk taking down the controller manager.

  • enhancementkubeadm etcd learner fix matters for HA cluster joins

    When adding control plane nodes, etcd temporarily registers new members as learners. The previous behavior incorrectly included learner endpoints in the etcd client pool, which could cause client errors during promotion. If you run kubeadm-managed HA clusters and have experienced intermittent etcd client failures during control plane joins, this patch resolves it. Upgrade before your next control plane scaling operation.

  • enhancementkubeadm reset now handles stubborn bind mounts cleanly

    On nodes with bind-mounted /var/lib/kubelet directories, `kubeadm reset` previously failed with EINVAL during unmount, leaving cleanup incomplete. The fix silently ignores EINVAL — which is expected for peer mounts — so resets complete cleanly. Useful if you automate node decommissioning with kubeadm reset in scripts.

主な変更 (3)
  • ValidatingAdmissionPolicy: schemas with `additionalProperties: true` no longer crash kube-controller-manager with a nil pointer exception
  • kubeadm no longer adds etcd learner members to client endpoints, preventing potential routing issues during cluster operations
  • kubeadm reset now gracefully handles EINVAL errors when unmounting /var/lib/kubelet peer mounts, avoiding false failures
原文

Lima

Kubernetes Core2026年3月17日

Lima v2.1.0 adds experimental macOS and FreeBSD guest support, renames the guest home directory path, and consolidates disk files — a release with real migration considerations alongside useful new features.

  • breakingDisk file consolidation means no downgrade path

    Once an instance runs under Lima v2.1, its disk format is incompatible with v2.0 and v1.x. Snapshot or back up critical VM instances before upgrading. If you manage shared Lima environments or CI pipelines that pin Lima versions, ensure all consumers upgrade together — you can't roll back individual instances.

  • breakingHardcoded paths to `/home/${USER}.linux` will break

    The guest home directory is now `/home/${USER}.guest`. A symlink covers the old path, so most things will keep working. However, any scripts, dotfiles, or tooling that hardcodes the `.linux` suffix — particularly in non-symlink-aware contexts like bind mounts or container volume paths — should be audited and updated.

  • enhancementUse `limactl shell --sync` for AI agent workflows

    If you're running AI coding agents (e.g., Claude Code, Aider) inside Lima shells, `--sync` prevents the agent from accidentally modifying host files by syncing the working directory into the guest context. Adopt this flag in any automation or agent harness that launches `limactl shell` — it's a low-friction safety net.

  • enhancementk3s template now supports multi-node clusters

    The built-in `k3s` template can now spin up multi-node clusters, which makes local Kubernetes testing significantly more realistic. If you've been working around this limitation with custom configs or alternative tools like Rancher Desktop, it's worth re-evaluating the native template.

主な変更 (6)
  • Experimental macOS and FreeBSD guest support via new templates (`template:macos`, `template:freebsd`)
  • Guest home directory renamed from `/home/${USER}.linux` to `/home/${USER}.guest`; old path symlinked for compatibility
  • `basedisk` + `diffdisk` consolidated into a single `disk` file — instances from v2.0/v1.x boot fine in v2.1, but not the reverse
  • New `limactl shell --sync` flag to isolate AI agent shell sessions from host filesystem
  • Host-to-guest time synchronization added in the hostagent; guestagent binary shrunk from 14MB to 6.1MB
  • QEMU is now the default hypervisor for non-native architectures
原文

Helm

Kubernetes Core2026年3月12日

Helm v3.20.1 fixes two critical bugs affecting chart value handling and OCI registry operations that could cause deployment failures.

  • enhancementUpgrade immediately for value handling fixes

    This patch resolves two bugs that could break chart deployments. The nil value preservation fix prevents unexpected behavior when overriding chart defaults, while the OCI tag+digest fix enables proper chart pulling from registries using both identifiers. Test your existing charts after upgrading to ensure value overrides work as expected.

  • enhancementVerify OCI chart references work properly

    If you use OCI registries with tag+digest references (like `registry/chart:v1.0@sha256:abc123`), this release fixes previous 'invalid byte' errors. Update your CI/CD pipelines to use this version before relying on tag+digest combinations for chart immutability.

主な変更 (4)
  • Fixed nil value preservation bug when charts have empty maps or no defaults for keys
  • Resolved OCI reference failures with tag+digest causing 'invalid byte' errors
  • Updated Kubernetes dependencies to latest versions
  • Added support for pulling charts from OCI indices
原文

Helm

Kubernetes Core2026年3月11日

Helm v4.1.3 patches multiple critical bugs affecting OCI registries, dry-run operations, and value handling that were causing deployments to fail or behave unpredictably in production environments.

  • breakingUpdate OCI registry workflows immediately

    If you use OCI registries that store both container images and Helm charts under the same tag, upgrade now. The previous bug caused complete pull failures. Test your chart pulls after upgrading to ensure compatibility with your registry setup.

  • enhancementReview autoscaling upgrade timeouts

    Upgrades now properly wait for cluster autoscalers and rolling updates instead of failing prematurely. Review your deployment pipelines and consider reducing any artificial delays you added to work around this issue. Monitor initial upgrades closely to verify improved behavior.

  • enhancementValidate dry-run operations with generateName

    Server-side dry-run now correctly handles generateName fields. If you've been avoiding dry-run validation for resources using generateName, re-enable it in your CI/CD pipelines. This improves pre-deployment validation coverage.

主な変更 (5)
  • Fixed dry-run server mode not respecting generateName, causing validation issues
  • Resolved OCI registry failures when pulling charts from mixed container/chart repositories
  • Fixed nil value preservation preventing proper chart defaults overrides
  • Corrected FailedStatus handling that caused premature upgrade failures during autoscaling
  • Eliminated YAML corruption from template whitespace trimming after post-rendering
原文

containerd

Kubernetes Core2026年3月10日

containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

主な変更 (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
原文

CoreDNS

Kubernetes Core2026年3月6日

CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

主な変更 (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
原文

CRI-O

Kubernetes Core2026年3月3日

CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

主な変更 (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
原文
← 新しい古い →