RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Knative

Orchestration & Management2026年3月24日

Knative v1.21.2 is a small patch release with one TLS improvement and a heads-up that secure-pod-defaults will flip to AllowRootBounded in v1.22.

  • breakingAudit root-dependent workloads before v1.22 ships

    The AllowRootBounded secure-pod-defaults setting is coming as the new default in v1.22. If any of your Knative Services run containers that require root (e.g., legacy apps, certain base images), they will break after that upgrade. Right now, while you're on v1.21, test those workloads with AllowRootBounded explicitly enabled. If they fail, set secure-pod-defaults to 'disabled' in your config-features ConfigMap before upgrading to v1.22 — don't wait until upgrade day.

  • enhancementConfigurable TLS via knative.dev/pkg/network/tls

    The shift to the shared knative.dev/pkg/network/tls library gives operators more control over TLS settings in Serving. If you manage custom TLS configurations or have internal PKI requirements, review whether this change aligns your TLS behavior with expectations — particularly in environments where cipher suites or minimum TLS versions are enforced by policy.

主な変更 (3)
  • TLS configuration now uses knative.dev/pkg/network/tls for more flexible, configurable TLS behavior in Serving
  • secure-pod-defaults remains disabled by default in v1.21, but AllowRootBounded will become the default in v1.22
  • AllowRootBounded improves security posture while maintaining compatibility with most (but not all) images that expect root access
原文

wasmCloud

Orchestration & Management2026年3月22日

v2.0.1 is a minor housekeeping release — migrates the runtime-operator Go module to v2, regenerates protos, and cleans up a temporary go.work workaround.

  • breakingUpdate import paths if you import the runtime-operator Go module

    The runtime-operator Go module moved to a v2 module path. Any Go code importing it directly must update import paths to include the /v2 suffix. If you're only running wasmCloud as an operator and not importing the module in your own code, no action is needed.

  • enhancementUpgrade from v2.0.0 if you hit proto or lint issues

    This patch fixes regenerated protos and removes a temporary go.work shim that may have caused inconsistencies in local development builds. If you were building the operator from source against v2.0.0, pull this patch to avoid stale proto or dependency resolution issues.

主な変更 (3)
  • runtime-operator Go module migrated to v2 module path
  • Protobuf files regenerated to match v2 module changes
  • Temporary go.work replace directive removed; gateway linting restored
原文

wasmCloud

Orchestration & Management2026年3月22日

wasmCloud v2.0.0 is the stable release of the v2 runtime, bringing HTTP/2+gRPC support, OpenTelemetry metrics, wasmtime 42, and a security fix for RUSTSEC-2026-0007.

  • securityPatch RUSTSEC-2026-0007 by upgrading immediately

    The lock file was updated to address RUSTSEC-2026-0007. If you're running any pre-v2.0.0 build, treat this as a mandatory upgrade. Check your supply chain tooling (cargo-audit, Dependabot) to confirm the vulnerable dependency is resolved in your environment.

  • breakingHelm users: CRD path changed, update your GitOps pipelines

    CRDs were moved from templates/crds to a top-level /crds directory. This is a structural change that will break ArgoCD, Flux, or any Helm-based GitOps pipeline that references the old path. Before upgrading, verify your Helm release and CI/CD tooling point to the new CRD location.

  • enhancementEnable metrics now — observability is first-class in v2

    OpenTelemetry metrics support is included out of the box. If you're already running an OTEL collector, wire up wasmCloud v2 to it and start collecting runtime metrics. This is the right time to establish baseline dashboards before rolling this to production, not after.

主な変更 (6)
  • HTTP/2 and gRPC transport support added to the runtime
  • OpenTelemetry metrics support integrated for observability
  • Upgraded to wasmtime 42, the latest WebAssembly runtime engine
  • Security fix: lock file updated to address RUSTSEC-2026-0007
  • Helm chart CRDs moved from templates/crds to /crds directory — affects Helm deployments
  • wash CLI modernized to clap v4 idioms with improved help output
原文

Dapr

Orchestration & Management2026年3月19日

Dapr v1.17.2 is a high-priority patch with three Go stdlib CVE fixes, a CRD breaking change requiring manual update, and fixes for cascading actor placement failures and streaming OOM issues.

  • securityUpgrade immediately to patch three Go stdlib CVEs

    Go 1.24.x carried GO-2026-4601 (IPv6 SSRF via net/url), GO-2026-4602 (path escape via os.Root), and GO-2026-4603 (XSS via html/template). If your Dapr sidecars handle user-supplied URLs or template rendering in any adjacent service, exposure is real. Upgrade to v1.17.2 now — the fix is a Go toolchain bump, so no code changes are needed on your end.

  • breakingManually update CRDs before Helm upgrade or daprd will fail to start

    The `stateRetentionPolicy` fields in the Configuration CRD changed from `type: integer` to `type: string`. Helm does not update CRDs automatically. If you run `helm upgrade` without updating the CRD first, any existing Configuration objects using duration strings will fail Kubernetes validation and daprd may fail to load its config. Run the CRD update step from the Kubernetes upgrade guide before touching Helm. If you're not using workflow state retention policies today, the risk is lower, but update the CRD anyway to stay consistent.

  • enhancementLarge actor deployments and streaming workloads should prioritize this patch

    Two fixes deserve immediate attention beyond security. First, deployments with 50+ actor replicas were hitting cascading dissemination timeouts in 1.17.x — the placement service batching fix in this release resolves that. Second, any service invocation path passing large or streaming bodies (file uploads, SSE, chunked data) was silently OOM-killing sidecars by buffering everything in memory. Both are now fixed. If either pattern applies to your workload, treat this upgrade as urgent rather than routine.

主な変更 (5)
  • Three Go stdlib CVEs fixed (XSS in html/template, path escape in os.Root, IPv6 parsing in net/url) by upgrading to Go 1.25.8
  • Breaking change: Workflow state retention policy CRD fields corrected from integer to string type — manual CRD update required before Helm upgrade
  • Actor placement dissemination fixed for large deployments (50+ replicas) — cascading timeout loop now resolved
  • Service invocation no longer buffers entire streaming request/response bodies in memory, preventing sidecar OOM kills
  • Pub/sub messages no longer routed to dead-letter queue during graceful shutdown; bulk publish now applies namespace prefix correctly
原文

Operator Framework

Orchestration & Management2026年3月19日

Patch release bumping grpc from 1.78.0 to 1.79.3 and updating the Ansible operator plugin. Minimal surface area — safe to adopt quickly.

  • securityUpgrade for gRPC dependency fix

    The grpc bump from 1.78.0 to 1.79.3 spans two minor versions and likely includes bug fixes that could affect stability or security of operator-to-registry communication. gRPC CVEs and transport-layer issues have historically been silent but impactful. Review the grpc changelog for your risk profile, then upgrade — this patch is low-risk and the dependency delta is well-contained.

  • enhancementAnsible plugin users should rebuild operator images

    If you maintain Ansible-based operators, the plugin update in this release means your scaffolded or generated code may drift from the current baseline. After upgrading the SDK, re-run scaffolding checks or regenerate any plugin-managed files to stay aligned. Not urgent, but worth doing before your next operator release cycle.

主な変更 (3)
  • google.golang.org/grpc bumped from 1.78.0 to 1.79.3 via dependabot
  • Ansible operator plugin updated to match v1.42.2 release
  • Post-release generated file sync from v1.42.1
原文

KubeVirt

Orchestration & Management2026年3月16日

KubeVirt v1.7.2 is a patch release fixing 7 bugs across networking, storage, monitoring, and backup — no new features, but several fixes that could unblock production issues.

  • breakingCheck VMI specs if you're running mixed NIC configurations

    The infinite status loop fix targets VMIs where the primary network interface appears after a secondary one in the spec. If you have VMs stuck in update churn or virt-controller/virt-handler showing abnormal CPU/log volume, this is likely the cause. Upgrade to v1.7.2 and verify your VMI specs list the primary interface first to avoid re-triggering the issue on older clusters.

  • enhancementWindows VM backup users should update for reliable Velero integration

    The QuiesceFailed-to-QuiesceTimeout change plus a 60s pre-backup hook timeout directly addresses flaky Windows VSS snapshot behavior during Velero backups. If you're backing up Windows VMs and seeing intermittent quiesce failures, this patch resolves it. Review your Velero backup policies to ensure the hook timeout aligns with your SLAs.

  • enhancementGoogle Cloud NetApp Volumes storage migration is unblocked

    If you're running VMs on GCP with NetApp Volumes and tried live storage migration, it was silently failing. This patch fixes that. Test your migration workflows after upgrading — especially if you deferred any storage moves because of this bug.

主な変更 (7)
  • Fixed infinite VMI status update loop when primary NIC is listed after secondary interfaces in the VMI spec
  • Fixed PCI address stability across upgrades when using v3 hotplug port topology
  • Fixed storage migration failures with Google Cloud NetApp Volumes
  • Corrected kubevirt_allocatable_nodes metric to exclude non-schedulable nodes
  • Replaced QuiesceFailed with QuiesceTimeout for Windows VSS backups, adding a 60s Velero pre-backup hook timeout
  • Fixed low-replica alerts to use the deployment's defined replica count as the baseline
  • Fixed socket devices failing to update health status when Persistent Reservations is enabled
原文

KubeVirt

Orchestration & Management2026年3月16日

KubeVirt v1.6.4 is a patch release with 108 changes targeting stability: a CVE fix in crypto, several hotplug/migration bugs squashed, and new vCPU queue alerting.

  • securityPatch CVE-2025-47913 — upgrade to v1.6.4 now

    CVE-2025-47913 affects the golang/x/crypto dependency. This release pins it to OpenShift's patched fork. If you're running any v1.6.x release before v1.6.4, you're exposed. Upgrade immediately — no workaround exists short of patching the binary yourself.

  • breakingCross-vendor live migrations are now blocked

    KubeVirt will now explicitly prevent live migrations between nodes with different CPU vendors (e.g., Intel to AMD). If your cluster has mixed CPU vendors and you've been relying on cross-vendor migration — intentionally or not — audit your node topology before upgrading. Migrations that previously succeeded may now fail with an error.

  • enhancementAdd vCPU queue alerts to your monitoring setup

    Two new alerts ship in this release: GuestPeakVCPUQueueHighWarning and GuestPeakVCPUQueueHighCritical. If you're running KubeVirt with Prometheus, check that these alerts are picked up by your alerting rules. They give you early warning on guest CPU starvation, which is otherwise invisible until VMs start misbehaving under load.

主な変更 (5)
  • CVE-2025-47913 remediated by redirecting golang/x/crypto to the patched openshift/golang-crypto module
  • PCI address stability fixed across upgrades when using v3 hotplug port topology
  • Block volume hotplug no longer breaks autoattachVSOCK
  • New Prometheus alerts: GuestPeakVCPUQueueHighWarning and GuestPeakVCPUQueueHighCritical for guest CPU saturation visibility
  • Memory overcommit is now recalculated on live migration, and cross-vendor migrations are explicitly blocked
原文

Dapr

Orchestration & Management2026年3月9日

Dapr 1.17.1 fixes critical runtime issues including WASM component registration failures on production architectures and workflow cleanup problems.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components were completely broken on production architectures in v1.16.0-v1.17.0. Applications using these components failed to start. Test your WASM components after upgrading to confirm they register and function correctly.

  • enhancementExpect placement service performance improvements

    Large clusters with many non-actor sidecars will see reduced placement overhead. Monitor placement service metrics and actor invocation latency—you should observe fewer lock cycles and improved performance, especially during sidecar restarts.

  • enhancementReview workflow cleanup configurations

    Previously stalled workflows that became unstalled can now be properly cleaned up. Verify your state retention policies are working as expected and check for any workflow instances that should have been purged but weren't.

主な変更 (4)
  • WASM binding and middleware components now register properly on amd64/arm64/arm architectures after filename build constraint fix
  • Previously stalled workflows can now be cleaned up by state retention policies and purge APIs
  • Placement service no longer triggers unnecessary dissemination cycles for sidecars without actor types
  • Bulk subscription timers properly reset after early dispatch due to message count limits
原文

Dapr

Orchestration & Management2026年3月6日

Dapr 1.16.10 fixes critical WASM component registration failures on production architectures and patches security vulnerabilities in Go runtime and OpenTelemetry SDK.

  • securityUpdate for Go runtime and OpenTelemetry security patches

    This release patches vulnerabilities in Go 1.25.7 (crypto/tls, go command) and OpenTelemetry SDK (arbitrary code execution via PATH hijacking). Plan your upgrade within your normal security patching window, prioritizing environments where PATH manipulation is possible.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components have been completely broken on production architectures since v1.16.0. If you're using these components and running v1.16.0-v1.16.9, upgrade to v1.16.10 immediately as your WASM components are silently failing to register.

  • enhancementReview Pulsar Avro message publishing for early error detection

    Pulsar PubSub now validates JSON messages against Avro schemas before publishing, catching malformed data earlier. Test your Pulsar publishing workflows to ensure they handle the new validation errors gracefully and benefit from faster codec performance.

主な変更 (5)
  • Fixed WASM binding and middleware components failing to register on amd64/arm64 architectures due to filename collision with Go build constraints
  • Added Pulsar PubSub Avro schema validation to prevent malformed messages from being published without error feedback
  • Updated Go runtime to 1.25.7 with security fixes for crypto/tls and go command vulnerabilities
  • Upgraded OpenTelemetry SDK to v1.40.0 to patch arbitrary code execution vulnerability (GO-2026-4394)
  • Cached Pulsar Avro codec compilation at initialization for improved publishing performance
原文

Karmada

Orchestration & Management2026年2月28日

Karmada v1.16.3 is a bug-fix release addressing critical issues including controller race conditions, scheduler panics, and graceful eviction problems that could impact multi-cluster operations stability.

  • breakingUpgrade immediately to prevent scheduler crashes

    The scheduler panic fix for divide-by-zero errors is critical for production stability. Schedule maintenance window to upgrade karmada-scheduler component, especially if you use spread constraints across clusters with dynamic availability.

  • enhancementReview CronFederatedHPA configurations after upgrade

    The fix for CronFederatedHPA scale-up failures when replicas field is missing improves reliability. After upgrading, verify your CronFederatedHPA resources are scaling correctly from zero replicas, and consider adding explicit replicas fields to avoid edge cases.

  • enhancementMonitor graceful eviction behaviors post-upgrade

    The graceful eviction timing fix prevents GracePeriodSeconds leakage between tasks. After upgrade, monitor your workload evictions to ensure they complete within expected timeframes and adjust grace periods if needed for improved resource cleanup.

主な変更 (5)
  • Fixed job status aggregator race condition causing error loops in controller manager
  • Resolved CronFederatedHPA scaling failures when replicas field is missing
  • Corrected graceful eviction task timing issues preventing proper resource cleanup
  • Fixed scheduler divide-by-zero panic when no valid clusters available for spread constraints
  • Improved backoff queue sorting to prevent priority inversion in scheduler operations
原文

Karmada

Orchestration & Management2026年2月28日

Karmada v1.15.6 is a critical bug-fix release addressing race conditions, scheduler panics, and CronFederatedHPA failures that could impact production stability.

  • securityBase image security update included

    Alpine base image updated to 3.23.3 which may include security patches. Review your container scanning results after upgrade and update any custom images based on Karmada components.

  • breakingCritical scheduler stability fixes require immediate update

    The scheduler panic fix and backoff queue corrections address critical stability issues that could cause service disruptions. Plan immediate upgrade for production environments running multi-cluster workloads with spread constraints or high scheduling volumes.

  • enhancementCronFederatedHPA reliability improvements

    If using CronFederatedHPA for autoscaling, this release fixes scale-up failures when replicas field is missing. Update to ensure consistent autoscaling behavior across your federated deployments.

主な変更 (5)
  • Fixed job status aggregator race condition preventing error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Corrected graceful eviction task timing issues with GracePeriodSeconds
  • Fixed scheduler panic from divide-by-zero errors in spread constraints
  • Improved backoff queue sorting to prevent priority inversion issues
原文

Karmada

Orchestration & Management2026年2月28日

Karmada v1.14.10 is a patch release focused on stability improvements, fixing critical race conditions in job status handling, scheduler panics, and graceful eviction timing issues.

  • enhancementUpgrade to improve operational stability

    This patch fixes several critical race conditions and panics that could affect workload scheduling and job management. Plan an upgrade during maintenance window to prevent potential scheduler crashes and job status inconsistencies in production clusters.

  • enhancementReview CronFederatedHPA configurations

    The fix for CronFederatedHPA scale-up from zero when replicas field is missing means previously broken auto-scaling configurations will now work correctly. Audit your CronFederatedHPA resources to ensure they behave as expected after upgrade.

主な変更 (6)
  • Fixed race condition in job status aggregator that could cause error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Fixed GracePeriodSeconds value leakage between eviction tasks
  • Corrected scheduler panic from divide-by-zero in spread constraint calculations
  • Fixed backoff queue sorting causing priority inversion in scheduler
  • Resolved resource quota plugin namespace issue in scheduler estimator
原文

Karmada

Orchestration & Management2026年2月28日

Karmada v1.17.0 is a community-driven release with contributions from 30+ developers, focusing on stability improvements and feature enhancements for multi-cluster management.

  • enhancementPlan upgrade testing in staging environment

    With 30+ contributors and significant community activity, this release likely contains substantial improvements. Test the upgrade path in your staging clusters first, paying attention to controller behavior and resource propagation patterns before rolling out to production.

  • enhancementReview cluster scheduling policies

    Enhanced scheduling capabilities may offer new optimization opportunities for your workload distribution. Review your current PropagationPolicies and OverridePolicies to leverage potential new features for better resource utilization across clusters.

主な変更 (5)
  • Enhanced multi-cluster resource propagation and scheduling capabilities
  • Improved cluster federation management and workload distribution
  • Strengthened API compatibility and controller reliability
  • Extended observability and monitoring features for federated clusters
  • Performance optimizations for large-scale cluster deployments
原文

Dapr

Orchestration & Management2026年2月27日

Dapr 1.17 focuses on production-ready workflows with versioning support, state retention policies, and 41% improved throughput, while stabilizing Bulk PubSub API and enhancing Placement service reliability.

  • enhancementImplement workflow versioning for production workflows

    If you run long-duration workflows in production, adopt the new versioning feature to safely deploy workflow updates. Use named versions for major changes and patching for minor updates. Plan migration strategy for existing workflows before upgrading to avoid replay issues.

  • enhancementConfigure workflow state retention policies

    Review your workflow storage growth patterns and configure retention policies to prevent unbounded state store growth. Set shorter retention for completed workflows and longer retention for failed workflows to balance storage costs with debugging needs.

  • enhancementUpgrade Placement service for better actor reliability

    The improved Placement service provides more reliable actor routing during deployments and scaling. Test your actor-based applications with frequent scaling scenarios to validate the improved convergence behavior after upgrading.

主な変更 (5)
  • Workflow versioning support with named versions and patching strategies for safe evolution of long-running workflows
  • State retention policies to control workflow history storage growth and manage terminal state cleanup
  • Placement service improvements with stricter three-stage updates and faster disconnect detection
  • Stabilized Bulk PubSub API for production use
  • New CLI commands for workflow and scheduler management operations
原文

Knative

Orchestration & Management2026年2月24日

Knative knative-v1.20.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Knative

Orchestration & Management2026年2月24日

Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

主な変更 (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
原文

KubeVirt

Orchestration & Management2026年2月23日

KubeVirt v1.7.1 delivers critical bug fixes for live migration, volume hotplug, and VM snapshot operations, along with enhanced monitoring capabilities and security updates.

  • securityUpdate to address crypto dependency vulnerabilities

    The golang.org/x/crypto dependency was updated to v0.45.0 to address security issues. Plan to upgrade to this version promptly, especially in production environments handling sensitive workloads, as crypto vulnerabilities can impact VM security.

  • breakingCross-vendor migration prevention requires review

    KubeVirt now prevents cross-vendor migrations which may break existing workflows that rely on migrating VMs between different infrastructure providers. Review your migration patterns and ensure source and target nodes use compatible virtualization stacks.

  • enhancementImplement ephemeral volume monitoring

    New metrics and alerts for ephemeral hotplug volumes improve operational visibility. Configure your monitoring stack to capture these new metrics and set up alerts for ephemeral volume lifecycle events to better track resource usage and potential issues.

主な変更 (6)
  • Fixed decentralized live migration issues between volumes with different volumeModes
  • Resolved block volume hotplug breaking autoattachVSOCK functionality
  • Added ephemeral hotplug volume metrics and alerts for better monitoring
  • Fixed missing migration metrics that impacted observability
  • Updated security dependencies including golang.org/x/crypto to v0.45.0
  • Enhanced VM export functionality to work with PVCs from completed pods
原文
← 新しい