RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年5月解除 ×

gRPC

Networking & Messaging2026年5月29日

日本語 準備中gRPC v1.81.0 drops Python 3.9 and Ruby 3.1 support, fixes crash-level races on Windows and ARM, and adds AsyncIO observability for Python.

  • breakingPython 3.9 support dropped — check your runtime

    gRPC Python 1.81.0 drops Python 3.9 support. If your services still run on Python 3.9, stay on an older gRPC release until you can upgrade your runtime. Plan the Python version bump before pulling this release.

  • breakingRuby 3.1 support dropped — upgrade your Ruby runtime

    Ruby 3.1 has reached EOL and gRPC 1.81.0 drops support for it. If you're running Ruby 3.1 in production with gRPC, you'll need to upgrade to Ruby 3.2+ before adopting this release.

  • enhancementWindows and ARM stability fixes worth taking

    Two EventEngine fixes address a use-after-free and a race condition causing assertion errors on Windows, plus a completion queue shutdown race on ARM (weak memory model). If you run gRPC on Windows or ARM-based infrastructure, this release directly fixes stability issues that could cause crashes. Upgrade when stable.

主な変更 (6)
  • Python 3.9 support removed — Python 3.10+ required going forward
  • Ruby 3.1 (EOL) support dropped — Ruby 3.2+ required
  • EventEngine: fixed use-after-free and assertion-error race on Windows
  • Fixed completion queue shutdown race condition on ARM (weak memory models)
  • gRPC Python now supports observability in the AsyncIO stack
  • grpc-status Python package: protobuf dependency upper bound relaxed to allow 7.x
原文

Contour

Networking & Messaging2026年5月28日

日本語 準備中Contour v1.33.5 is a security patch: it closes a JWT verification bypass that was possible when fallback certificates were combined with JWT-protected HTTPProxy routes.

主な変更 (4)
  • Patches GHSA-g3xr-5w5j-w4q4: HTTPProxy configs combining a fallback certificate with JWT verification could let requests without SNI, or with unrecognized SNI, skip JWT verification
  • Contour now rejects this invalid fallback-certificate-plus-JWT configuration outright instead of silently allowing the bypass
  • Tested against Kubernetes 1.32 through 1.34
  • No other functional changes in this release
原文

NATS

Networking & Messaging2026年5月20日

日本語 準備中NATS v2.14.1 is a substantial patch release fixing ~30 bugs across JetStream, clustering, and core messaging — several of them data-integrity and panic-level issues worth deploying promptly.

  • securitygolang.org/x/crypto bumped to v0.51.0 — update now if you embed nats-server

    The x/crypto and x/sys dependency updates often carry CVE fixes. If you embed nats-server as a Go library (common in edge/IoT deployments), rebuild and redeploy. For standard deployments, just upgrade the binary. Don't sit on this one — crypto library updates in a messaging server are not optional hygiene.

  • breakingReview the 2.14 Upgrade Guide before deploying — 2.13.x was skipped

    The release notes explicitly reference backwards-compatibility notes against 2.12.x, not 2.13.x, because that minor version was never released. If your team is running 2.12.x and skipped 2.13.x, read the 2.14 upgrade guide carefully before rolling out. Pay attention to JetStream consumer and stream API changes that may affect your clients.

  • enhancementUse the new client-traffic /varz metrics for baseline observability

    The four new metrics (in/out client msgs/bytes) give you a cleaner split between client traffic and internal cluster/leafnode chatter. Wire these into your Prometheus scrape or monitoring dashboard now to establish baselines. This is especially useful for capacity planning on servers that handle mixed client and cluster traffic, since previously you had to infer client load from total metrics.

主な変更 (5)
  • 30+ bug fixes across JetStream Raft, consumer state, filestore encryption, and cluster routing
  • New /varz metrics (in_client_msgs, in_client_bytes, out_client_msgs, out_client_bytes) for client-only traffic visibility
  • Consumer redelivery drift fixed across multiple paths: workqueue streams, max_deliver, purge/compaction scenarios
  • Filestore block cache corruption on encryption mode conversion patched (critical data integrity fix)
  • TLS handshake timeout logs demoted to debug level, reducing operational noise in busy clusters
原文

NATS

Networking & Messaging2026年5月20日

日本語 準備中v2.12.9 is a dense bug-fix release targeting JetStream stability — covering Raft correctness, consumer state corruption, and filestore encryption bugs that could silently corrupt data.

  • securityUpdate: golang.org/x/crypto bumped to v0.51.0

    The x/crypto dependency was updated alongside Go 1.25.10. If your org tracks CVEs against transitive dependencies, verify your SBOM tooling picks this up. Upgrade to v2.12.9 to pull in the patched crypto library — there's no workaround at the application level.

  • breakingEncrypted JetStream users must upgrade — filestore corruption risk

    A bug in filestore encryption mode conversion could cause block-level corruption when switching encryption settings (PR #8105, #8166). If you've ever changed encryption mode on an existing stream, inspect those streams after upgrading. If corruption already occurred, you'll need to restore from a pre-conversion snapshot.

  • enhancementUse the new /varz client traffic metrics for capacity planning

    The four new metrics (in/out_client_msgs and in/out_client_bytes) let you separate actual client-facing load from internal cluster/leafnode traffic. Wire these into your Prometheus scrape now — they're directly useful for right-sizing clusters and spotting noisy clients without needing to parse per-connection data.

主な変更 (5)
  • New /varz metrics (in_client_msgs, in_client_bytes, out_client_msgs, out_client_bytes) isolate client-only traffic from internal messaging
  • Fixed filestore encryption mode conversion that caused block-level corruption — critical for encrypted JetStream deployments
  • Fixed multiple consumer redelivered-state drift bugs affecting workqueue/interest streams with max_deliver, purges, and compactions
  • Deadlock fix in cluster info processing under Raft lock contention — relevant for busy clustered deployments
  • Raft correctness improvements: WAL truncation cache invalidation, checkpoint cancellation, truncated entry panics, and unknown peer removal
原文

Emissary-Ingress

Networking & Messaging2026年5月19日

日本語 準備中Emissary-Ingress v4.1.0 ships Envoy 1.37.2 and fixes a stale cache bug that caused Istio mTLS cert rotation to silently fail.

  • securityReview Envoy 1.37.x release notes before upgrading

    This upgrade spans Envoy 1.37.0 through 1.37.2, which includes security patches and potentially deprecated xDS fields. Pull up the Envoy 1.37.0, 1.37.1, and 1.37.2 changelogs and scan for any deprecated API fields or behavior changes that match your current Mapping/Ambassador configs before rolling out to production.

  • breakingStale config cache fix may change startup behavior

    The IR.check_deltas fix now triggers a full reconfigure when an empty-delta snapshot arrives with a cached state. In practice this means Emissary will re-push config to Envoy in scenarios where it previously did nothing. If you have automation or health checks that depend on the old (broken) quiet behavior during cert rotation windows, validate them in staging first.

  • enhancementUpgrade if you run Emissary alongside Istio

    If your cluster uses Istio and Emissary together, this fix directly addresses mTLS cert rotation failures (issue #4744). Stale certificates staying in the cache caused silent connectivity breakage during rotation events. Upgrading to v4.1.0 should eliminate those intermittent failures without any config changes on your part.

主な変更 (3)
  • Envoy proxy upgraded from 1.36.2 to 1.37.2 (spans three Envoy minor releases)
  • Fixed IR.check_deltas bug: empty-delta snapshots now force a full reconfigure instead of holding stale cache entries
  • Istio mTLS certificate rotation failures caused by the stale cache issue are resolved
原文

Istio

Networking & Messaging2026年5月18日

日本語 準備中Istio 1.30 ships experimental AI-focused agentgateway, ambient mode CIDR support, a new TrafficExtension API, and tightened debug endpoint auth that breaks existing setups.

  • breakingDebug endpoint auth is on by default — audit your tooling now

    Port 15010 XDS debug endpoints now enforce authentication with ENABLE_DEBUG_ENDPOINT_AUTH=true as the default. Any internal tooling, dashboards, or scripts hitting syncz or config_dump without credentials will start failing after upgrade. Before upgrading, inventory everything that talks to port 15010 and either add auth or explicitly allowlist namespaces via DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES.

  • breakingStart migrating off WasmPlugin to TrafficExtension API

    TrafficExtension is now the primary extensibility API, replacing WasmPlugin. WasmPlugin isn't being removed immediately, but new features will land in TrafficExtension first. If you run Wasm extensions in production, plan a migration window and test TrafficExtension parity before 1.31 hardens the deprecation.

  • enhancementUse CIDR ServiceEntry in ambient mode to simplify external IP routing

    Previously, ambient mode required enumerating individual IP endpoints in ServiceEntry. CIDR support means you can now cover entire subnets — useful for external databases, on-prem services, or shared infrastructure with dynamic IPs. If you've been maintaining large lists of individual endpoints, consolidate them now and reduce operational overhead.

主な変更 (5)
  • Experimental agentgateway: new Envoy-replacing data plane for AI/MCP traffic, enabled via PILOT_ENABLE_AGENTGATEWAY=true
  • Debug endpoints (syncz, config_dump) on port 15010 now require auth by default — ENABLE_DEBUG_ENDPOINT_AUTH=true is the new default
  • TrafficExtension API replaces WasmPlugin as the primary proxy extensibility mechanism for sidecars, gateways, and waypoints
  • Ambient mode gains CIDR support in ServiceEntry, optional XFCC synthesis at waypoints, and configurable HBONE window sizing
  • New sidecar-to-ambient migration guide published; migration is designed to be gradual and reversible
原文

Istio

Networking & Messaging2026年5月18日

日本語 準備中Istio 1.29.3 patches two security vulnerabilities — an AuthorizationPolicy bypass and a cross-namespace XDS config leak — alongside a multicluster deadlock fix and AWS EKS ambient mesh probe fix.

  • securityAudit AuthorizationPolicy rules using suffix-match principals or namespace selectors — patch immediately

    Regex metacharacters (., [, etc.) in source.principals and source.namespaces were embedded into Envoy SafeRegex unescaped. This means a policy allowing 'spiffe://cluster.local/ns/foo/sa/bar.admin' could inadvertently also match 'spiffe://cluster.local/ns/foo/sa/barXadmin'. Any service with suffix-based wildcard principal matching is potentially affected. Upgrade to 1.29.3 and review policies where principals or namespace values contain dots, brackets, or other regex metacharacters.

  • securityRotate access controls on XDS debug endpoints — any authenticated workload could read cross-namespace configs

    The /debug/syncz and /debug/config_dump endpoints served by StatusGen had no namespace boundary enforcement. An authenticated workload in namespace A could enumerate and read Envoy configs of workloads in namespace B. If you run multi-tenant clusters or expose istiod debug endpoints, assume cross-namespace config data may have been accessible. Upgrade immediately and audit who has accessed these endpoints via your API server audit logs.

  • breakingMulti-cluster operators: the secret controller deadlock fix may change behavior during cluster updates

    The deadlock in the multicluster secret controller was triggered during remote cluster updates. If your control plane has been experiencing hangs or stalls in multi-cluster scenarios, this fix resolves the root cause — but test your cluster join/leave workflows after upgrading to confirm expected behavior is restored.

主な変更 (5)
  • Security fix: AuthorizationPolicy bypass via unescaped regex metacharacters in source.principals (suffix matches) and source.namespaces — legal Kubernetes names like 'foo.bar' could match unintended identities
  • Security fix: XDS debug endpoints (/debug/syncz, /debug/config_dump) now enforce same-namespace authorization — previously any authenticated workload could read config dumps across namespaces
  • Fixed deadlock in multicluster secret controller during remote cluster updates — critical for multi-cluster deployments
  • Fixed leaf certificate NotAfter time potentially exceeding the signing CA's expiration
  • AWS EKS ambient mesh fix: kubelet health probe failures for pods using Security Groups for Pods (branch ENI) resolved via new AMBIENT_ENABLE_AWS_BRANCH_ENI_PROBE flag (on by default)
原文

Linkerd

Networking & Messaging2026年5月15日

日本語 準備中Native sidecars promoted to GA and enabled by default, plus a security fix restricting Server resources from affecting workloads outside their namespace. Heavy dependency refresh across Rust and Go stacks.

  • securityServer namespace isolation fix — review cross-namespace Server resources immediately

    A fix was applied so that Server resources can no longer affect workloads in namespaces other than their own. If you have intentionally or accidentally created Server policies that were influencing workloads cross-namespace, those policies will silently stop applying after this upgrade. Audit your Server resources across all namespaces and verify that authorization policies still behave as expected post-upgrade. The risk of misconfigured over-broad policies is reduced, but any reliance on the previous behavior will break.

  • breakingNative sidecars are now on by default — audit your cluster before upgrading

    Native sidecar support (using Kubernetes init containers with restartPolicy: Always) is now GA and enabled by default. If your cluster runs Kubernetes < 1.29, native sidecars are unsupported and this will break injection. Even on supported versions, verify that any tooling, admission webhooks, or pod lifecycle assumptions in your workloads are compatible. Test in a staging environment before rolling out to production. If you need the old behavior, explicitly disable the feature flag during install/upgrade.

  • enhancementConfigure honorTimestamps on the linkerd-proxy PodMonitor

    If you're using the Prometheus Operator and have timestamp alignment issues in your Linkerd proxy metrics (e.g., stale or out-of-order samples), you can now set honorTimestamps in the Helm chart for the linkerd-proxy PodMonitor. This is a quality-of-life win for teams with strict metric ingestion pipelines. Set it explicitly during your next Helm upgrade rather than leaving it at the default.

主な変更 (6)
  • Native sidecar injection promoted to GA and now enabled by default — no more feature gate needed
  • Security fix: Server resources are now restricted from affecting workloads in other namespaces
  • Gateway liveness synchronization improved for multi-cluster setups
  • rustls bumped to 0.23.40, openssl and aws-lc-rs updated — crypto stack refreshed
  • Proxy updated to v2.352.0, Go toolchain to 1.25.10, Helm to 3.21.0
  • PodMonitor honorTimestamps now configurable for linkerd-proxy metrics scraping
原文

Cilium

Networking & Messaging2026年5月13日

日本語 準備中Cilium v1.19.4 is a stability-focused patch release with 20+ bug fixes covering crash prevention, IPsec reliability, and Cluster Mesh correctness — upgrade if you run any of those features.

  • securityUpdate moby/spdystream dependency (security fix included)

    This release bumps github.com/moby/spdystream to v0.5.1 as a security fix. The dependency is used in Kubernetes API communication paths. No CVE number is listed in the release notes, but treat this as a prompt to upgrade — staying on v1.19.3 leaves the exposure open.

  • breakingHand-managed EndpointSlices need service-proxy-name label added

    If you set --k8s-service-proxy-name and manage EndpointSlices manually, those slices will now be filtered OUT at the watch level unless they carry the matching service.kubernetes.io/service-proxy-name label. After upgrading, any untagged hand-managed slice becomes invisible to Cilium, causing traffic drops. Audit your EndpointSlices before upgrading and stamp the label on any that are missing it.

  • enhancementPrioritize upgrade if you run IPsec, WireGuard, or Cluster Mesh

    Three distinct data-plane reliability fixes land here: IPsec packet drops during rolling key rotation, WireGuard silent packet loss under constrained MTU with IPv6, and Cluster Mesh missing backends for multi-port services. Any of these can cause hard-to-diagnose intermittent connectivity issues. If your environment uses any of these features, this patch should move to the front of your upgrade queue.

主な変更 (5)
  • Agent no longer crashes on transient network errors during CiliumNode updates — retries instead of calling Fatal
  • IPsec rolling restarts with key rotation fixed: SPI advertisement now deferred until XFRM states are ready, eliminating packet drops
  • WireGuard MTU clamped to IPv6 minimum (1280) when IPv6 is enabled, preventing silent packet loss in tunnel+encryption setups
  • EndpointSlice watch now filtered by service-proxy-name label at the watch level — operators with hand-managed slices must add the label
  • Cluster Mesh: missing global service backends restored when multiple service ports share the same target port
原文

Cilium

Networking & Messaging2026年5月13日

日本語 準備中v1.17.16 patches a cross-namespace traffic hijacking vulnerability in CiliumLocalRedirectPolicy, fixes an IPsec panic on malformed input, and resolves a static pod identity resolution bug.

  • securityAudit LRP addressMatcher configs before upgrading

    The LRP addressMatcher change fixes a real attack vector: a policy in one namespace could previously override a Service frontend and redirect traffic cross-namespace. After upgrading, any LRP that was relying on this override behavior will stop working silently — traffic won't redirect as expected. Before upgrading, audit your CiliumLocalRedirectPolicy objects for addressMatcher entries that overlap with existing Service frontends. If you legitimately need the old behavior, set --enable-lrp-address-matcher-override=true, but treat that as a temporary measure and redesign the policy.

  • securityUpgrade if running IPsec — agent crash risk on malformed input

    The parseSPI panic means a malformed IPsec packet could crash the Cilium agent, taking down networking on that node. This is a low-complexity denial-of-service risk for any cluster using Cilium's IPsec transparent encryption. Upgrade to v1.17.16 promptly if IPsec is enabled in your environment.

  • breakingLRP addressMatcher behavior change is not fully backward-compatible

    This is a behavior change, not just a bug fix. If you have CiliumLocalRedirectPolicies using addressMatcher that overlap with Service ClusterIPs or external IPs, those policies will now be rejected or ignored where they previously worked. Test your LRP configurations in a non-production environment before rolling this upgrade out. The opt-in flag --enable-lrp-address-matcher-override=true exists, but using it means you are accepting the previously-vulnerable behavior.

主な変更 (5)
  • CiliumLocalRedirectPolicy addressMatcher now blocks overriding existing Service frontends — prevents cross-namespace traffic hijacking and service-map corruption; legacy behavior requires opt-in flag
  • IPsec: fixed panic in parseSPI when processing malformed SPI input — previously could crash the agent
  • Static pod endpoint identity resolution fixed for cases where CNI pod UID differs from the Kubernetes mirror pod UID
  • Cluster-pool IPAM metrics for CiliumNode synchronization now properly registered with Kubernetes
  • Security dependency update: moby/spdystream bumped to v0.5.1 (security fix)
原文

Cilium

Networking & Messaging2026年5月13日

日本語 準備中Cilium v1.18.10 is a stability-focused patch release fixing agent crashes, IPsec panics, Cluster Mesh backend gaps, and a data race in IPAM — all backported from upstream.

  • securitymoby/spdystream and x/net security updates are included

    This release pulls in a security fix for github.com/moby/spdystream and bumps x/net to v0.53. Both are network-layer dependencies. If your policy or threat model tracks transitive dependency CVEs, this patch justifies the upgrade on its own.

  • breakingUpgrade encrypted clusters to fix IPsec panic risk

    A panic in parseSPI on malformed IPsec input could crash the agent on nodes running encrypted traffic. If you use IPsec encryption, treat this as a priority upgrade — a malformed packet or misconfigured peer can take down the agent process entirely.

  • enhancementCluster Mesh users with shared target ports should upgrade

    The missing global service backends bug silently dropped backends from services where multiple ports mapped to the same target port. Traffic would route correctly within a single cluster but fail cross-cluster. Upgrade and verify affected services post-rollout using hubble observe or service endpoint inspection.

主な変更 (5)
  • Agent no longer crashes fatally on transient network errors during CiliumNode updates — it retries instead
  • IPsec panic on malformed SPI input fixed, preventing node-level disruption in encrypted clusters
  • Cluster Mesh now correctly propagates global service backends when multiple ports share the same target port
  • CiliumLocalRedirectPolicy no longer hijacks an existing Service frontend before its backend pods are Ready
  • Data race in MultiPoolManager IPAM node updates resolved; x/net bumped to v0.53 for security
原文

Linkerd

Networking & Messaging2026年5月1日

日本語 準備中A routine edge release dominated by dependency bumps, with two meaningful bug fixes: multicluster service cleanup now respects namespaces, and a CLI gateway API version correction.

  • securityRust TLS stack updated — aws-lc-rs, rustls-webpki, rustls-pki-types all bumped

    Several TLS-adjacent crates were updated in one shot: aws-lc-rs 1.16.3, rustls-webpki 0.103.13, and rustls-pki-types 1.14.1. No CVEs are called out explicitly, but these are the cryptographic underpinnings of Linkerd's mTLS. If you're in a security-sensitive environment, this is a good reason to pull this edge over older ones.

  • breakingKubernetes 1.31 is now the minimum supported version

    The MSKV bump to 1.31 means clusters running 1.30 or older are no longer in the supported envelope. Check your cluster versions before adopting this edge release — if you're still on 1.30, upgrade Kubernetes first or hold on this Linkerd edge.

  • enhancementFix multicluster namespace-scoped service cleanup before upgrading

    If you run Linkerd multicluster and have services spread across multiple namespaces, the previous cleanup logic could operate beyond its intended namespace scope. This fix is a correctness improvement — after upgrading, verify your mirrored services are in the expected state, especially if you've seen unexpected service deletions or stale mirrors in non-default namespaces.

主な変更 (6)
  • Multicluster service cleanup logic now correctly scopes to namespaces, preventing cross-namespace service deletion bugs
  • CLI user instructions now reference the correct Gateway API version
  • New Helm value `gateway.healthCheckNodePort` added for gateway deployments
  • Destination controller refactored to use shared-filtering logic
  • Minimum supported Kubernetes version (MSKV) bumped to 1.31
  • Multiple Rust dependency updates: hyper 1.9.0, tokio 1.52.1, aws-lc-rs 1.16.3, rustls-webpki 0.103.13
原文
月別に見る