RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Contour

Networking & Messaging2026年3月23日

Contour v1.31.5 is a security/stability patch: Envoy bumped to v1.34.13, grpc-go updated to patch CVE-2026-33186 (Contour itself unaffected), and a minor manifest cleanup.

  • securityUpgrade for Envoy security fixes — don't wait on this one

    Envoy v1.34.13 carries security vulnerability fixes. The release notes don't enumerate specific CVEs, but Envoy patches at the .13 point release level are serious. Upgrade Contour to pull in the new Envoy image. If you run a heavily customized Envoy config, verify behavior in staging first, but don't sit on this.

  • securityCVE-2026-33186 in grpc-go: patched, Contour not affected — no emergency action needed

    The grpc-go update closes CVE-2026-33186, but Contour's own code doesn't hit the vulnerable path. You still benefit from upgrading since the dependency is bundled in the Contour binary. No emergency rollout required, but include this in your next maintenance window.

  • breakingCheck custom manifests if you rely on Envoy metrics hostPort 8002

    The example manifests no longer expose hostPort: 8002 for Envoy metrics. If you copy or base your deployment manifests on Contour's examples and depend on host-level metrics scraping via that port, update your scrape configs and manifests accordingly. Production installs using the operator or Helm are unlikely to be affected unless you explicitly templated this.

主な変更 (3)
  • Envoy updated to v1.34.13 to address security vulnerabilities and improve stability
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour is not in the affected code path)
  • Removed hostPort: 8002 from Envoy metrics in example manifests
原文

Cilium

Networking & Messaging2026年3月23日

Cilium v1.19.2 is a patch release focused on stability: fixes span IPSec key rotation races, L7 LB policy bypass, clustermesh goroutine leaks, and a world-accessible Envoy admin socket.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created accessible to all users on the node (world-accessible). Any workload on the same node could interact with the Envoy admin API. If you're running Cilium with L7 policies or Envoy-based features, upgrade to v1.19.2 now. No config change needed — the fix is in the binary.

  • securityIPSec users: silent packet drops during key rotation are fixed

    A race condition in IPSec key rotation caused packets to be dropped when a peer started using the new key before local XFRM states were ready. If you use IPSec encryption and do rolling key rotations, you were likely seeing unexplained connectivity blips. Upgrade and review your key rotation procedures — the fix also adds logging to the rotation flow, so you'll have better visibility going forward.

  • breakingL7 LB ingress policy bypass — check your enforcement posture

    A bug allowed traffic to bypass ingress policies for local backends when L7 load balancing was active. If you rely on Cilium network policy enforcement for local service backends with L7 LB enabled, your policies may not have been enforced as expected. After upgrading to v1.19.2, verify that traffic is behaving as your policies intend — this fix restores correct enforcement, which could change observed traffic patterns.

主な変更 (5)
  • Security fix: Envoy admin socket was world-accessible (0.0.0.0), now bound correctly — upgrade immediately if running L7 policies
  • IPSec key rotation race condition fixed — packets were silently dropped during key rotation when peers adopted the new key before XFRM states were ready
  • L7 LB bug fixed where ingress policies could be bypassed for local backends — critical for anyone using L7 load balancing with network policy
  • ClusterMesh goroutine leak and EndpointSlice cleanup race fixed when removing a cluster from the mesh
  • Service load balancing backend slot gap bug fixed — could cause traffic misrouting when maintenance backends were present
原文

Cilium

Networking & Messaging2026年3月23日

Cilium v1.18.8 is a bug-fix patch with one critical caveat: GKE users must skip it due to a known regression introduced by the XDP jumbo MTU change.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created with world-readable/writable permissions, exposing it to any process on the node. This is fixed in v1.18.8. If you're running Cilium with L7 policy or any Envoy-based features, upgrade promptly. On existing nodes, verify socket permissions at /var/run/cilium/envoy/sockets/ — world access means any container with host path access could interact with the admin API.

  • breakingGKE users: do not deploy v1.18.8

    The XDP jumbo MTU support (PR #44499) introduced a regression on GKE. If you're on GKE, skip this version entirely and upgrade to v1.19.2 instead. Running v1.18.8 on GKE risks network disruption. Non-GKE users are not affected by this specific issue.

  • enhancementL7 LB policy bypass and FQDN SNI fixes are worth prioritizing

    Two policy-enforcement bugs are fixed here. First, local backends could bypass ingress policies under L7 LB — meaning traffic wasn't being filtered as expected. Second, wildcard FQDN policies weren't propagating correctly to Envoy when SNI-based matching was in use. If your environment uses either L7 load balancing or FQDN network policies with SNI, this release closes real security gaps. Plan the upgrade accordingly.

主な変更 (5)
  • GKE users: known regression in this release — skip v1.18.8 and go directly to v1.19.2
  • Security fix: Envoy admin socket was world-accessible (0666 permissions); now restricted
  • Fix for wildcard FQDN network policy identities not being pushed to Envoy with SNI-based policies
  • L7 load balancer now correctly enforces ingress policies for local backends (bypass bug fixed)
  • EndpointSlice address removal could be silently missed when multiple slices shared a name — now fixed
原文

Cilium

Networking & Messaging2026年3月23日

Cilium v1.17.14 patches a security issue with Envoy's admin socket permissions and two L7 load balancer policy bypass bugs — upgrade if you use L7 LB or Envoy.

  • securityPatch the world-accessible Envoy admin socket immediately

    The Envoy admin socket was being created with world-accessible permissions, meaning any process on the node could potentially interact with it. This is a local privilege escalation risk in multi-tenant or shared node environments. Upgrade to v1.17.14 now — there's no workaround short of restricting filesystem access externally. Check if your nodes have been running older versions and audit whether the socket was exploitable in your threat model.

  • securityL7 LB was allowing ingress policy bypass for local backends — fix before trusting policy enforcement

    Ingress policies were not being enforced for local backends when L7 load balancing was active. If you rely on network policy to restrict east-west traffic through L7 LB, your policies may not have been effective. After upgrading, verify your ingress policies are behaving as expected, particularly for services with local endpoint backends.

  • enhancementBPF filesystem now included in bugtool — use it for faster incident diagnosis

    The bugtool now captures 'find /sys/fs/bpf' output, which is often the first thing you need when diagnosing BPF map or program issues. No action required, but update your runbooks to note that bugtool output from v1.17.14+ will include this data by default, saving manual SSH steps during incidents.

主な変更 (5)
  • Envoy admin socket was created world-accessible (0777); now fixed to restrict permissions
  • L7 LB on bridge devices now uses hairpin redirect correctly, fixing connectivity issues
  • Ingress policies could be bypassed for local backends via L7 LB — patched
  • Base images updated to v1.25.8, cilium-envoy updated to v1.35.9 with multiple patch builds
  • BPF filesystem paths (/sys/fs/bpf) now included in bugtool output for easier debugging
原文

Linkerd

Networking & Messaging2026年3月19日

A routine dependency-heavy edge release: two proxy bumps (v2.343.0, v2.344.0), Go 1.25.8 upgrade, rustls update, and proxy-init 2.4.6 — no feature additions or breaking changes.

  • securityrustls patch update — pull this into your proxy builds

    rustls went from 0.23.35 to 0.23.37 in the proxy. Two patch versions in one release suggests active bug or security fixes in the TLS layer. If you're running older edge releases, this is a good reason to roll forward. No CVE was cited, but TLS library patches should never be delayed in a service mesh context.

  • enhancementTwo proxy versions landed — check the proxy changelog separately

    This release ships proxy v2.343.0 and v2.344.0 in sequence, meaning two rounds of proxy changes are bundled in. The release notes don't detail what changed in each proxy version. If you're tracking proxy behavior closely (routing, observability, protocol detection), check the linkerd2-proxy repo's changelog for these two versions before deploying.

  • enhancementGo 1.25.8 in the control plane — standard maintenance upgrade

    The control plane is now on Go 1.25.8. This is a patch release of Go and likely includes minor runtime fixes. No action required unless you're building custom tooling against Linkerd's Go modules — in that case, align your toolchain accordingly.

主な変更 (5)
  • Proxy bumped twice to v2.343.0 then v2.344.0 within this release cycle
  • Go runtime upgraded to 1.25.8 across the control plane
  • rustls updated from 0.23.35 to 0.23.37 — patch-level TLS library update in the proxy
  • proxy-init bumped from 2.4.5 to 2.4.6
  • openssl-sys and grpc dependencies updated (0.9.112 and 1.79.3 respectively)
原文

Strimzi

Networking & Messaging2026年3月12日

Strimzi 0.45.2 is the final patch release for the 0.45.x branch, focusing on critical CVE fixes and Kafka 3.9.2 support while serving as the last version supporting ZooKeeper-based clusters.

  • securityApply patch immediately for CVE fixes

    This release addresses multiple high-priority CVEs in ZooKeeper, JWT libraries, and networking components. Upgrade to 0.45.2 immediately to patch these vulnerabilities, especially if you handle sensitive data or run internet-facing services.

  • breakingMigrate to KRaft before upgrading beyond 0.45.x

    This is your last chance to run ZooKeeper-based Kafka clusters in Strimzi. Plan your KRaft migration now since Strimzi 0.46+ will only support KRaft mode. Follow the official KRaft migration guide and test thoroughly in non-production first.

  • breakingHandle Kafka 3.9.2 annotation issue for future upgrades

    If you're using Kafka 3.9.2, upgrading to Strimzi 0.46-0.51 will require manually updating pod annotations. Save the provided kubectl command for when you upgrade: it updates the Kafka version annotation on pods to prevent operator failures.

主な変更 (5)
  • Final patch release for 0.45.x branch - no further patches will be released
  • Added support for Apache Kafka 3.9.2 with container image updates
  • Multiple CVE fixes including ZooKeeper CVE-2024-47554, Nimbus Jose JWT CVE-2025-53864, and GRPC Netty Shaded CVE-2025-55163
  • Last Strimzi version to support ZooKeeper-based Kafka clusters and MirrorMaker 1
  • Upgraded dependency versions: Vert.x 4.5.24, Netty 4.1.130.Final, Apache Log4J 2.25.3, Cruise Control 2.5.146
原文

Linkerd

Networking & Messaging2026年3月12日

Linkerd edge-26.3.2 delivers routine dependency updates across Rust, Go, and Node.js components, plus a metrics improvement that prevents scraping from failed pods and completed jobs.

  • enhancementMonitor metrics collection improvements

    The update excludes failed pods and completed jobs from proxy metrics scraping, reducing noise in your monitoring data. Review your current metrics dashboards to see if you notice cleaner data patterns after upgrading, and consider adjusting any alerting thresholds that may have been accounting for this noise.

  • enhancementTest edge release in non-production first

    This edge release bundles many dependency updates at once. Deploy to staging environments first to validate that the combined changes don't introduce unexpected behavior in your specific workload patterns before rolling to production clusters.

主な変更 (4)
  • Updated proxy to v2.342.0 with latest improvements
  • Comprehensive dependency updates across Rust (pin-project-lite, ryu, anyhow), Go (gRPC, klog), and JavaScript (webpack, babel-loader) components
  • Enhanced metrics collection by excluding failed pods and completed jobs from proxy scraping
  • Upgraded Docker build actions to v4.0.0 and v7.0.0 for improved CI/CD workflows
原文

Envoy

Networking & Messaging2026年3月11日

Envoy v1.37.1 is a critical security patch addressing five CVEs including crash vulnerabilities and RBAC bypasses. Teams running production Envoy should prioritize immediate updates.

  • securityApply critical CVE fixes immediately

    Five CVEs fixed including crash conditions in rate limiting and IPv6 handling, plus an RBAC bypass. Test your deployment in staging first, then schedule emergency maintenance to update production clusters within 24-48 hours.

  • enhancementReview OAuth2 and ext_authz configurations

    If you use OAuth2 refresh tokens, verify host header behavior works correctly after the fix. For ext_authz users, check that error handling now properly respects your status_on_error settings and denied response headers reach clients as expected.

  • enhancementValidate ext_proc filter chains

    Multiple ext_proc filters in a chain now work correctly. If you previously avoided chaining due to bugs, test this functionality in your development environment to simplify complex processing pipelines.

主な変更 (5)
  • Fixed five security vulnerabilities including rate limit crash, multivalue header RBAC bypass, and IPv6 address crash
  • Resolved OAuth2 host header rewriting issue affecting refresh token requests
  • Enhanced ext_proc filter to support multiple filters in chain configuration
  • Improved ext_authz error handling for 5xx responses and proper header propagation
  • Introduced extended ABI forward compatibility for dynamic modules
原文

Envoy

Networking & Messaging2026年3月11日

Envoy v1.36.5 delivers critical security patches addressing five CVEs including crash vulnerabilities in rate limiting, RBAC bypass issues, and memory corruption bugs that require immediate upgrading.

  • securityUpgrade immediately for critical crash fixes

    Multiple CVEs can cause Envoy crashes or memory corruption. The rate limiting crash (CVE-2026-26330) and IPv6 address handling bug (CVE-2026-26310) pose immediate availability risks. Schedule emergency maintenance windows to deploy this patch, especially if you use rate limiting or handle IPv6 traffic.

  • securityReview RBAC policies for multivalue header bypass

    CVE-2026-26308 allowed bypassing RBAC rules through multivalue headers. After upgrading, audit your RBAC configurations to ensure they weren't exploited and verify that header-based access controls work as expected in your environment.

  • enhancementTest OAuth2 workflows after host rewriting fix

    The OAuth2 refresh bug fix changes how host headers are handled during authentication flows. If you use Envoy for OAuth2 with custom host rewriting rules, test your authentication workflows thoroughly after upgrading to ensure tokens refresh correctly.

主な変更 (5)
  • Five CVE fixes covering rate limit crashes, RBAC multivalue header bypass, IPv6 address handling crashes, JSON string corruption, and HTTP decode method blocking
  • OAuth2 refresh request bug fix preventing host rewriting from overriding original Host values
  • Migration from internal googleurl to open source Google GURL library
  • Kafka test binary updated to version 3.9.2
  • Docker base image security updates
原文

Envoy

Networking & Messaging2026年3月10日

Envoy v1.35.9 delivers critical security patches for four CVEs affecting RBAC, IPv6 handling, JSON processing, and HTTP decoding, plus OAuth2 host rewriting fixes.

  • securityUpgrade immediately for critical security fixes

    Four CVEs fixed in this release could lead to authentication bypass, crashes, and memory corruption. Schedule immediate deployment especially if using RBAC policies, IPv6 networking, JSON processing, or experiencing downstream connection resets. Test thoroughly in staging first as security fixes can affect request handling behavior.

  • enhancementValidate OAuth2 host rewriting behavior

    OAuth2 refresh requests now correctly preserve original Host headers instead of being overridden. If your setup relies on custom host rewriting for OAuth2 flows, verify that authentication still works as expected after upgrading. This change improves compliance with OAuth2 specifications.

主な変更 (5)
  • Four CVE fixes addressing RBAC multivalue header bypass, IPv6 crash, JSON corruption, and HTTP decode blocking issues
  • OAuth2 refresh requests now preserve original Host header values during host rewriting
  • Migration from internal googleurl to open GitHub repository (google/gurl)
  • Kafka test binary updated to version 3.9.2
  • Docker base images refreshed to latest versions
原文

Envoy

Networking & Messaging2026年3月10日

Critical security patch addressing four CVEs including RBAC bypass, IPv6 crash, memory corruption, and HTTP decode vulnerabilities that require immediate upgrade.

  • securityUpgrade immediately for RBAC bypass fix

    CVE-2026-26308 allows attackers to bypass RBAC policies using multivalue headers. This directly impacts access control security. Schedule emergency maintenance to upgrade all Envoy instances, especially those using RBAC for authorization.

  • securityPatch IPv6 crash vulnerability in production

    CVE-2026-26310 causes crashes when processing scoped IPv6 addresses, leading to service disruption. If you handle IPv6 traffic or run dual-stack configurations, prioritize this upgrade to prevent potential DoS attacks.

  • securityAddress JSON processing memory corruption

    CVE-2026-26309 corrupts string null terminators during JSON processing, potentially leading to memory corruption or information disclosure. Update immediately if your services process JSON payloads through Envoy.

主な変更 (5)
  • Fixed CVE-2026-26308 multivalue header bypass in RBAC that could allow unauthorized access
  • Resolved CVE-2026-26310 crash vulnerability when processing scoped IPv6 addresses
  • Patched CVE-2026-26309 off-by-one memory write bug in JSON processing
  • Fixed CVE-2026-26311 HTTP decode method vulnerability after downstream resets
  • Corrected OAuth2 refresh request host rewriting behavior
原文

Istio

Networking & Messaging2026年3月10日

Istio 1.29.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Istio

Networking & Messaging2026年3月10日

Istio 1.28.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Istio

Networking & Messaging2026年3月10日

Istio 1.27.8 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

NATS

Networking & Messaging2026年3月9日

NATS v2.12.5 delivers critical security fixes for leafnode compression and WebSocket vulnerabilities, while significantly improving JetStream backup performance and fixing numerous stability issues in filestore operations.

  • securityUpdate immediately for critical CVE fixes

    Two CVEs affect production systems: CVE-2026-29785 impacts leafnode compression and CVE-2026-27889 affects WebSocket connections. Both can cause server panics or security issues. Schedule maintenance window to update all NATS servers running v2.12.4 or earlier.

  • enhancementOptimize JetStream backups for unreliable networks

    Stream backups now support window_size parameter for better flow control. If you run backups over slow or unreliable connections, configure appropriate window sizes to improve throughput and reduce backup failures. Test with your network conditions to find optimal values.

  • enhancementReview async metalayer snapshot behavior

    Metalayer snapshots now run asynchronously to prevent blocking JS API operations. This improves performance but changes timing behavior. If your applications rely on synchronous snapshot timing, set `meta_compact_sync: true` in jetstream config block to restore previous behavior.

主な変更 (5)
  • Critical CVE fixes for leafnode compression (CVE-2026-29785) and WebSocket parsing (CVE-2026-27889)
  • JetStream stream backups now use improved flow control with window_size parameter for better performance over unreliable connections
  • Metalayer snapshots now run asynchronously by default to prevent blocking JS API operations
  • Fixed multiple filestore race conditions and lock leaks that could cause crashes or performance degradation
  • WebSocket handling improvements including proper frame validation and compression state management
原文

NATS

Networking & Messaging2026年3月9日

NATS v2.11.14 is a critical security release addressing two CVEs affecting leafnode compression and WebSocket features, plus multiple stability fixes to prevent server panics.

  • securityUpgrade immediately if using leafnodes or WebSockets

    Two CVEs affect common NATS configurations. If you have leafnode compression or WebSocket features enabled, upgrade immediately to prevent potential security exploits. Check your configuration for 'compression: enabled' in leafnode sections or 'websocket' listeners.

  • securityReview WebSocket Origin validation settings

    Origin header validation now includes protocol scheme verification. Audit your WebSocket client configurations to ensure they specify correct origins (including https:// or wss:// schemes) to avoid connection rejections after upgrade.

  • enhancementMonitor for reduced panic incidents

    This release fixes multiple panic conditions in leafnode and WebSocket handling. After upgrading, you should see fewer unexpected server restarts. Review your monitoring dashboards to confirm improved stability metrics.

主な変更 (5)
  • Fixes CVE-2026-29785 affecting leafnode compression systems
  • Fixes CVE-2026-27889 affecting WebSocket-enabled deployments
  • Prevents server panics from leafnode subscription race conditions
  • Improves WebSocket frame parsing and payload validation
  • Enhanced Origin header validation for WebSocket security
原文

Linkerd

Networking & Messaging2026年3月6日

Edge release focused on dependency maintenance with proxy updates to v2.341.0. Notable addition of extra attributes in Kubernetes SubjectAccessReview for improved authorization handling.

  • enhancementEvaluate SubjectAccessReview improvements for RBAC

    The addition of extra attributes in SubjectAccessReview requests improves authorization evaluation accuracy. Review your current RBAC policies to ensure they handle additional context properly, especially if using custom authorization webhooks or detailed access controls.

  • enhancementMonitor proxy performance after v2.341.0 update

    Three proxy version bumps indicate active development. Test performance and connection handling in your environment, particularly if you've experienced proxy-related issues. The incremental updates suggest gradual improvements rather than breaking changes.

主な変更 (5)
  • Proxy updated from v2.339.0 to v2.341.0 across multiple incremental releases
  • Major dependency updates including Tokio v1.50.0, axum v0.8.8, and Kubernetes client libraries
  • SubjectAccessReview now includes extra attributes for enhanced RBAC evaluation
  • Security framework updates including aws-lc-rs to v1.16.0 and rustls-pki-types to v1.14.0
  • GitHub Actions updated to newer versions (upload-artifact v7.0.0, download-artifact v8.0.0)
原文

Strimzi

Networking & Messaging2026年3月6日

Strimzi 0.51.0 addresses critical CVEs and drops support for Kubernetes versions below 1.30, while adding Kafka 4.2.0 support and moving ServerSideApplyPhase1 to beta.

  • securityUpgrade immediately for CVE fixes

    Two critical CVEs affect Strimzi 0.47.0 and newer versions. Review the security advisories to determine if your deployment is affected, then upgrade to 0.50.1 or 0.51.0 immediately. The CVE numbers appear to be from 2026, which suggests these may be embargoed vulnerabilities with delayed disclosure.

  • breakingVerify Kubernetes compatibility before upgrading

    Strimzi 0.51.0 requires Kubernetes 1.30+. Check your cluster version before upgrading. If running Kubernetes 1.27-1.29, upgrade your cluster first or remain on an earlier Strimzi version until cluster upgrade is possible.

  • breakingUpdate CRDs and KafkaUser resources during upgrade

    Manually upgrade CRDs as part of the Strimzi upgrade process, especially when using Helm. For clusters upgrading from 0.48 or older, update KafkaUser resources to use the new `.spec.authorization.acls[]operations` field format before upgrading.

主な変更 (5)
  • Critical security fixes for CVE-2026-27133 and CVE-2026-27134 requiring immediate upgrade from versions 0.47.0+
  • Kubernetes 1.30+ now required - versions 1.27, 1.28, and 1.29 no longer supported
  • Added Kafka 4.2.0 support while removing Kafka 4.0.0 and 4.0.1 compatibility
  • Per-listener Kafka configuration options now available for connection limits and reauthentication settings
  • Ingress listener type deprecated due to upstream project archival in March 2026
原文

Contour

Networking & Messaging2026年2月20日

Contour v1.33.2 is a maintenance release that fixes a critical HTTPProxy status update bug, upgrades Go to v1.25.7, and improves CPU allocation for the shutdown-manager container.

  • securityUpgrade for Go security patches

    Go v1.25.7 includes security fixes and performance improvements. Schedule an upgrade to benefit from these updates, especially if you're running production workloads with previous Contour versions.

  • breakingFix HTTPProxy status update issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, this release fixes the CRD schema issue. Upgrade immediately if you rely on status fields for monitoring or automation.

  • enhancementImproved Gateway Provisioner performance

    The increased CPU limit for shutdown-manager prevents throttling issues. If you're using Contour Gateway Provisioner and experiencing slow shutdown operations, this upgrade will improve performance.

主な変更 (4)
  • Go runtime updated to v1.25.7 for latest security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Increased shutdown-manager CPU limit from 50m to 200m in Gateway Provisioner to prevent throttling
  • Maintains compatibility with Kubernetes versions 1.32 through 1.34
原文

Contour

Networking & Messaging2026年2月20日

Contour v1.32.3 is a maintenance release that updates Go runtime to v1.24.13 and fixes a critical CRD schema bug preventing load balancer status updates.

  • securityUpdate for Go Security Fixes

    Go v1.24.13 includes security patches. Schedule upgrade to v1.32.3 during your next maintenance window to benefit from runtime security improvements and bug fixes.

  • breakingFix Load Balancer Status Issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, upgrade immediately. The CRD schema fix resolves status reporting issues that could affect traffic routing visibility and monitoring.

主な変更 (4)
  • Go runtime updated to v1.24.13 with security fixes and improvements
  • Fixed HTTPProxy CRD schema bug that incorrectly marked status.loadBalancer.ingress[].ports[].error as required field
  • Resolved load balancer status update failures affecting ingress traffic routing
  • Maintained compatibility with Kubernetes versions 1.31 through 1.33
原文

Contour

Networking & Messaging2026年2月20日

Contour v1.31.4 is a patch release addressing a critical load balancer status update bug and updating Go to v1.24.13 for security and stability improvements.

  • securityUpgrade for Go security patches

    Go v1.24.13 includes security fixes that improve runtime security. Plan to upgrade Contour to v1.31.4 during your next maintenance window to benefit from these security improvements.

  • enhancementFix load balancer status reporting issues

    If you've experienced failures in load balancer status updates with HTTPProxy resources, this release resolves the CRD schema issue. Upgrade to restore proper status reporting functionality, especially important for automation and monitoring systems that depend on load balancer status.

主な変更 (4)
  • Go runtime updated to v1.24.13 for security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Maintains compatibility with Kubernetes 1.30-1.32
  • Focused on stability improvements with no breaking changes
原文

gRPC

Networking & Messaging2026年2月20日

gRPC v1.78.1 is a maintenance release addressing critical Python fork handling issues and Ruby 4.0 compatibility, with no breaking changes for most users.

  • enhancementUpgrade to resolve Python multithreading issues

    This release fixes a critical bug where Python applications using gRPC in multithreaded environments with fork() would hang with 'Other threads are currently calling into gRPC, skipping fork() handlers' errors. If you're experiencing similar issues, upgrade immediately and test your fork-heavy workloads.

  • enhancementPlan Ruby 4.0 migration path

    With Ruby 4.0 support now available, review your Ruby-based gRPC services for compatibility testing. The native gems should provide better performance, but validate your deployment pipeline supports the new Ruby version before upgrading production systems.

主な変更 (4)
  • Fixed Python fork support inconsistency causing request processing hangs in multithreaded environments
  • Removed unintentional warning log messages in Python implementations
  • Added Ruby 4.0 support with native gem builds
  • Updated Python API documentation site with modern design
原文

Strimzi

Networking & Messaging2026年2月19日

Strimzi 0.50.1 is a critical security patch addressing two CVEs affecting versions 0.47.0+, with mandatory CRD upgrades and final support for Kubernetes 1.27-1.29.

  • securityImmediate upgrade required for CVE fixes

    If running Strimzi 0.47.0 or newer, immediately review the CVE advisories and upgrade to 0.50.1. These are critical security vulnerabilities that require urgent patching in production environments.

  • breakingUpdate KafkaUser resources before upgrading

    Before upgrading, update all KafkaUser resources to use .spec.authorization.acls[]operations field instead of the deprecated .spec.authorization.acls[]operation field to avoid compatibility issues.

  • breakingPlan Kubernetes upgrade for Strimzi 0.51+

    This is the final version supporting Kubernetes 1.27-1.29. Plan to upgrade your clusters to Kubernetes 1.30+ before upgrading to Strimzi 0.51.0 or newer to maintain compatibility.

主な変更 (5)
  • Fixes two critical security vulnerabilities CVE-2026-27133 and CVE-2026-27134 affecting Strimzi 0.47.0+
  • Includes full CA chain in broker certificates for improved TLS certificate validation
  • Fixes bugs in v1 API conversion tool for number conversions and empty YAML handling
  • Last version supporting Kubernetes 1.27, 1.28, and 1.29 - future versions require K8s 1.30+
  • Continues migration to v1 APIs with mandatory CRD upgrades, especially critical for Helm users
原文
← 新しい