リリース
CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。
CRI-O v1.34.10はバグ修正のみのパッチで、gomaxprocsのCPU注入ロジックの修正と、再起動後のコンテナステータスにおけるImageRef形式のリグレッション修正の2件が含まれます。セキュリティ、API、設定の変更はありません。
主な変更 (3)
- gomaxprocsフックがCPU設定を注入するかどうかの判断でワークロードパーティショニングを無視するよう変更
- gomaxprocsの計算が要求CPU数の少なくとも2倍を保証し、Goスケジューラのスロットリングリスクを低減
- CRI-O再起動後にコンテナステータスのImageRefがrepo@digest形式から生のイメージIDハッシュに変わっていたバグを修正
CRI-O v1.35.4 is a patch release with no code changes or dependency updates from v1.35.3 — essentially a rebuild or re-tag of the previous patch.
enhancementSkip this upgrade unless you need a clean rebuild
There are zero changelog entries and zero dependency changes. This release is likely a rebuild triggered by a CI/pipeline issue or a signing/artifact correction. If you're already on v1.35.3 and it's working, there's no functional reason to upgrade. Check the CRI-O GitHub issue tracker or release PR for context on why this tag was cut before deciding to roll it out.
enhancementVerify artifact integrity with cosign and SBOM before deploying
Even for a no-change release, practice your supply chain verification workflow: use cosign to verify the signature on the tarball and the bom tool to validate the SPDX SBOM. This is good hygiene to establish before you need it on a critical release.
主な変更 (4)
- No code changes between v1.35.3 and v1.35.4
- No dependency additions, updates, or removals
- Release artifacts available for amd64, arm64, ppc64le, and s390x
- SBOM (SPDX format) and cosign signatures published alongside binaries
CRI-O v1.36.1 is a small patch fixing a container status regression where ImageRef flipped to a raw image ID after restart, plus a debug log verbosity reduction.
breakingUpgrade if you rely on ImageRef for image identity after restarts
Before this fix, CRI-O restarts caused ImageRef in container status to switch from a repo@digest string to a raw image ID. Any tooling that parses ImageRef — admission controllers, audit pipelines, image policy enforcers — could silently receive the wrong format and fail validation or produce incorrect audit records. If you run workloads where CRI-O restarts are common (e.g., upgrades, node reboots), patch to v1.36.1 immediately and validate your tooling handles the repo@digest format consistently.
enhancementExpect quieter debug logs under high-frequency List* RPC calls
Clusters with aggressive monitoring or reconciliation loops generating frequent ListContainers/ListPodSandboxes calls were generating excessive debug log volume, which hurt CRI-O performance under high load. After this patch, debug logging is less chatty for these paths. If you previously reduced log levels specifically to work around this noise, you can now safely re-enable debug logging without the same overhead.
主な変更 (4)
- Fixed ImageRef regression: container status now correctly returns repo@digest format (not raw image ID hash) after CRI-O restarts
- Reduced log verbosity for List* RPC calls, cutting noise in debug-level logging under frequent polling
- No dependency changes — pure bug fix release
- SLSA provenance, OpenVEX, and SPDX SBOMs published for supply chain verification
CRI-O v1.34.9 fixes two concurrency bugs: a panic from racing StopContainer calls and a spurious exit code 255 on fast-exiting containers. Pure bug-fix release, no dependency changes.
breakingPanic risk on concurrent StopContainer — upgrade if you drain nodes or run rapid pod teardowns
If your cluster drains nodes, runs batch workloads with rapid pod churn, or uses any automation that issues multiple StopContainer calls in parallel, the pre-fix versions could panic CRI-O, taking down the container runtime on that node. This is a hard crash, not a graceful error. Upgrade to v1.34.9 immediately on any node where concurrent stop operations are plausible.
enhancementExit code 255 false positives are gone — review alerting and restart policies
Exit code 255 is often treated as a runtime-level failure in monitoring stacks and can trigger unnecessary pod restarts or alerts. If you have OOMKill or fast-exit workloads (init containers, short-lived jobs) and have seen spurious 255 exit codes in your logs or metrics, those were false positives from this race. After upgrading, audit your alerting rules and CrashLoopBackOff history — you may find some pods were incorrectly flagged.
主な変更 (3)
- Fixed panic caused by concurrent StopContainer calls sending on an already-closed channel
- Fixed race condition that incorrectly reported exit code 255 for containers that exited quickly
- No dependency additions, changes, or removals
Single-fix patch release resolving a race condition that caused CRI-O to incorrectly report exit code 255 for fast-exiting containers.
breakingFalse exit code 255 may have masked real container failures
If your monitoring, alerting, or restart policies key off exit code 255, you may have been misclassifying fast-exiting containers as crashed. After upgrading, audit any runbooks or OOMKill/CrashLoopBackOff workflows that treat exit code 255 as a specific signal — the real exit codes from short-lived containers will now surface correctly.
enhancementUpgrade straightforward for 1.33.x users — no config or dependency changes
This is a clean drop-in replacement for v1.33.12. No dependency bumps, no config changes required. Plan a rolling node drain and replace the CRI-O binary. Prioritize nodes running batch jobs, init containers, or short-lived workloads where fast exits are common and exit code accuracy matters most.
主な変更 (3)
- Fixed race condition causing exit code 255 misreport when containers exit quickly
- No dependency changes — pure bug fix targeting a specific runtime edge case
- Affects amd64, arm64, ppc64le, and s390x builds equally
CRI-O v1.36.0 ships CNI health monitoring, configurable GOMAXPROCS injection, TLS hardening options, and a CVE fix — alongside a batch of race condition and cgroupv2 bug fixes.
securityPatch CVE-2026-35469 by upgrading to v1.36.0
The spdystream dependency carried CVE-2026-35469. If you're running v1.35.x, this is a direct reason to upgrade. After upgrading, verify the release bundle with cosign against the signed bundle artifacts — the SLSA provenance and OpenVEX report are both available for this release.
breakingValidate CNI plugin behavior under new continuous health monitoring
CRI-O now polls CNI plugins with STATUS after initial readiness. A plugin that was silently degraded will now actively set NetworkReady=false on the node, blocking pod scheduling. Before upgrading, confirm your CNI plugin properly implements the STATUS verb (Cilium, Calico, and Flannel do; older or custom plugins may not). Test in a non-production cluster first — this is a behavioral change that could surface latent CNI issues.
enhancementSet TLS minimums for the CRI-O API — don't leave defaults in production
New `tls_min_version` and `tls_cipher_suites` options under `[crio.api]` let you enforce TLS 1.2+ and restrict weak cipher suites on the streaming and metrics endpoints. The default is TLS 1.2, but you should explicitly set `tls_min_version = TLS13` in security-sensitive environments and review your cipher suite policy. Update your configuration management (Ansible, SaltStack, etc.) to codify this before the next node rollout.
主な変更 (5)
- CVE-2026-35469 patched via spdystream dependency update — upgrade immediately if you're on v1.35.x
- CNI plugin health is now continuously monitored via STATUS verb; unhealthy plugins flip the node to NetworkReady=false and self-heal on recovery
- New `min_injected_gomaxprocs` config option sets a floor for GOMAXPROCS injected into every container, useful for CPU-constrained workloads
- TLS 1.2/1.3 and cipher suite configuration added to the `[crio.api]` section for streaming and metrics servers
- Fixed v1.35.0 regression: systemd containers with user namespaces (hostUsers: false) were failing with 'Permission denied' on cgroup creation
v1.35.3 patches CVE-2026-35469, fixes a container stop panic and exit-code race, adds CNI health monitoring (then reverts it), and introduces GOMAXPROCS floor injection for containers.
securityPatch CVE-2026-35469 by upgrading to v1.35.3
The spdystream dependency had a vulnerability (CVE-2026-35469) fixed by bumping to moby/spdystream v0.5.1. If you're running v1.35.x, upgrade to v1.35.3 now. There's no workaround — the fix is only in the updated binary.
breakingCNI health monitoring was added and then reverted in the same release
CRI-O briefly added continuous CNI plugin health checks using the STATUS verb, which would have marked nodes NetworkReady=false on plugin failures. It was reverted before this release shipped because it caused bootstrapping regressions. Net result: no behavior change for CNI in v1.35.3. But if you saw this feature in changelogs and planned for it, don't — it's gone and will likely return in a future release with fixes.
enhancementUse 'min_injected_gomaxprocs' to prevent CPU underutilization in containers with low CPU requests
Containers with very low cpu.request values can end up with GOMAXPROCS=1, throttling Go-based workloads. The new 'min_injected_gomaxprocs' config field sets a floor so CRI-O injects max(floor, cpu.request) as GOMAXPROCS. This is particularly useful for Go-based sidecars or agents that are request-constrained but need threading headroom. Set this in your CRI-O config if you run Go workloads with conservative CPU requests.
主な変更 (6)
- CVE-2026-35469 fixed via spdystream dependency bump from v0.5.0 to v0.5.1
- Panic on concurrent StopContainer calls fixed — this was a real crash risk in high-churn environments
- Exit code 255 race condition resolved for fast-exiting containers
- New 'min_injected_gomaxprocs' config option sets a floor for GOMAXPROCS injected into every container
- CNI health monitoring (STATUS verb polling) was added then immediately reverted due to node bootstrapping regressions — net effect is no CNI monitoring change in this release
- New 'container_runtime_crio_default_runtime' metric exposes which runtime is configured on the node
CRI-O v1.34.8 patches CVE-2026-35469 in the spdystream dependency and adds two operator-facing features: a new runtime metric and configurable GOMAXPROCS injection.
securityPatch CVE-2026-35469 — update to v1.34.8 now
The spdystream library had a vulnerability fixed in this release. spdystream is used for streaming connections (exec, attach, port-forward), so exposure is real in any cluster. Upgrade CRI-O to v1.34.8 on all nodes. No config changes required — the fix is purely a dependency bump.
enhancementUse the new runtime metric to audit node configurations
The `container_runtime_crio_default_runtime` metric lets you confirm — via your existing Prometheus stack — that every node is actually running the runtime you expect (e.g., runc vs. kata-containers). This is particularly useful in mixed-runtime clusters or after node image upgrades where config drift can go undetected. Add an alert for unexpected runtime values once you've upgraded.
enhancementEvaluate min_injected_gomaxprocs for CPU-constrained workloads
If you run containers with very low cpu.request values (e.g., 0.1 cores), Go runtimes default to GOMAXPROCS=1, which can serialize work that should be parallel. Setting `min_injected_gomaxprocs` raises the floor so those containers get a more reasonable thread count. Be cautious on dense nodes: raising GOMAXPROCS across all containers increases goroutine scheduling overhead. Test with a non-Guaranteed workload first and watch CPU throttling metrics before rolling out cluster-wide.
主な変更 (4)
- CVE-2026-35469 fixed by bumping moby/spdystream from v0.5.0 to v0.5.1
- New `container_runtime_crio_default_runtime` metric exposes which container runtime is configured as default on each node
- New `min_injected_gomaxprocs` config option sets a floor for GOMAXPROCS injected into every container CRI-O creates
- GOMAXPROCS injection logic: CRI-O uses max(floor, cpu.request) except for Guaranteed QoS pods or partitioned workloads
v1.33.12 patches CVE-2026-35469 via a spdystream dependency bump and adds a new min_injected_gomaxprocs option for controlling GOMAXPROCS floor in containers.
securityPatch CVE-2026-35469 — upgrade now
The spdystream dependency update addresses CVE-2026-35469. Since spdystream handles HTTP/2 multiplexing in CRI-O's communication paths, any cluster running v1.33.x should move to v1.33.12 promptly. Check your vulnerability scanner results for this CVE and treat this as a routine security patch cycle rather than waiting for your next maintenance window.
enhancementUse min_injected_gomaxprocs to prevent CPU underutilization in Go workloads
Go runtimes default GOMAXPROCS to the number of logical CPUs on the node, which causes goroutine scheduling inefficiency when containers have small cpu.request values. This new option lets you set a floor (e.g., 2 or 4) so containers don't get starved of OS threads. It only applies to Burstable and BestEffort pods — Guaranteed QoS pods and partitioned workloads are unaffected. Start by auditing Go-based workloads in your cluster that run with low cpu.request; set min_injected_gomaxprocs conservatively and monitor goroutine behavior before widening the floor.
主な変更 (4)
- CVE-2026-35469 fixed by updating moby/spdystream from v0.5.0 to v0.5.1
- New min_injected_gomaxprocs config option sets a GOMAXPROCS floor for all containers CRI-O creates
- GOMAXPROCS injection logic: CRI-O injects max(floor, cpu.request), but only for non-Guaranteed QoS pods or partitioned workloads
- Guaranteed QoS pods and partitioned workloads are excluded from the GOMAXPROCS injection behavior
v1.33.11 is a maintenance patch with no code changes or dependency updates — purely a rebuild/re-release against the v1.33.10 baseline.
enhancementSkip this upgrade if you're already on v1.33.10
There are zero functional or security changes here. If your nodes are running v1.33.10 without issues, there's no practical reason to roll this out. Watch for v1.33.12 or a patch with actual fixes before scheduling maintenance windows.
enhancementUse SBOM and cosign artifacts for supply chain verification
Every build ships SPDX SBOMs and cosign bundle files. If your org has supply chain security requirements, integrate cosign verification into your upgrade pipeline now — this is a low-risk release to test that workflow against before a more impactful update arrives.
主な変更 (4)
- No code changes between v1.33.10 and v1.33.11
- No dependency additions, updates, or removals
- Release artifacts available for amd64, arm64, ppc64le, and s390x
- SPDX SBOMs and cosign signatures provided for all artifacts
CRI-O v1.35.2 is a focused bug-fix patch addressing image pull credential verification, metrics reporting gaps, and OCI artifact store contamination issues.
breakingVerify credential provider workflows after upgrading
The PullImage fix changes what gets returned during image pulls. If you use Kubernetes credential provider plugins or have automation that validates image pull behavior, test those flows before rolling this to production. The old behavior could silently bypass credential checks in edge cases.
enhancementAudit your metrics pipelines — you may have been missing data
The metrics bug means any cluster running v1.35.x before this patch was likely returning incomplete metrics when 'all' was set. After upgrading, expect metric cardinality to increase. Check dashboards and alerting thresholds — a spike in metrics volume is expected and correct, not a problem.
enhancementUse additional_artifact_stores for air-gapped or mirrored artifact setups
If you run air-gapped clusters or internal artifact mirrors, the new 'additional_artifact_stores' option lets you configure multiple read-only sources without hacking around existing config. Pair this with the pinned_images fix to ensure pinned artifacts are pulled from the right store consistently.
主な変更 (5)
- PullImage now returns the image ID directly, fixing Kubernetes credential verification compatibility
- Metrics endpoint now returns all metrics when 'all' is configured — previously silently incomplete
- Regular container images can no longer accidentally land in the OCI artifact store
- pinned_images configuration now applies consistently to artifact store images, not just regular containers
- New 'additional_artifact_stores' config option for adding read-only artifact store sources
CRI-O v1.34.7 is a patch release with no code changes or dependency updates from v1.34.6 — essentially a rebuild or release process artifact.
enhancementSafe to skip unless you need the rebuild
This release carries zero functional or security changes. If you're already on v1.34.6, there's no operational reason to upgrade immediately. That said, if your pipeline requires the latest patch tag for compliance or artifact provenance reasons, the SPDX SBOM and cosign bundles are all present and accounted for.
主な変更 (4)
- No code changes between v1.34.6 and v1.34.7
- No dependency additions, updates, or removals
- Artifacts available for amd64, arm64, ppc64le, and s390x
- SBOM (SPDX format) and cosign signature bundles provided for all architectures
CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.
securityUpdate immediately if using high performance hooks
This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.
主な変更 (3)
- Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
- Resolved issue where late container deletion affected IRQ settings of other containers
- No dependency changes or new features in this patch release
CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.
breakingTest systemd workloads with user namespaces
A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.
enhancementConfigure TLS settings for production security
New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.
enhancementVerify runc v1.4.0 compatibility
The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.
主な変更 (5)
- Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
- Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
- Improved OCI artifact pull fallback logic to skip retries on retryable errors
- Updated runc to v1.4.0 and multiple dependency versions for stability
- Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options
CRI-O v1.34.6 is a maintenance release with no functional changes, dependencies, or fixes - purely a version bump from v1.34.5.
enhancementSkip this release unless forced by policy
This release contains zero functional changes. Stay on v1.34.5 unless your organization requires running the latest patch version for compliance reasons. Save the upgrade effort for a release that brings actual improvements.
主な変更 (4)
- No code changes between v1.34.5 and v1.34.6
- No dependency updates or removals
- Release artifacts available for amd64, arm64, ppc64le, and s390x architectures
- SBOM and signature verification support maintained