RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年2月解除 ×

Open Policy Agent (OPA)

Security2026年2月26日

日本語 準備中OPA v1.14.0 delivers significant rule indexing improvements for variable assignments and 'x in {...}' expressions, along with H2C Unix domain socket support, enhanced testing output, and various performance optimizations.

  • enhancementOptimize policy performance with improved rule indexing

    The enhanced rule indexing for variable assignments and membership expressions will automatically improve performance for policies using patterns like 'x := input.role; x in {"admin", "user"}'. Review your existing policies to identify similar patterns that will benefit from this optimization without requiring code changes.

  • enhancementEnable H2C with Unix domain sockets for secure local communication

    If you're running OPA in containerized environments or need secure local IPC, use the new '--h2c' flag with Unix domain sockets. This reduces network overhead and improves security for local service-to-service communication patterns.

  • enhancementLeverage custom storage backend API for specialized use cases

    The new custom storage backend registration API enables integration with specialized storage systems. Evaluate if your current storage requirements could benefit from custom backends, particularly for high-performance or compliance-specific storage needs.

主な変更 (6)
  • Enhanced rule indexing for variable assignments and 'x in {...}' expressions improves query performance
  • Added H2C protocol support with Unix domain sockets for 'opa run' command
  • New line number display in test output for better debugging experience
  • Custom storage backend registration API for extensibility
  • Fixed race condition in plugin trigger management
  • Performance improvements in array unification and JSON patch operations
原文

cert-manager

Security2026年2月24日

日本語 準備中cert-manager v1.18.6 is a security-focused patch release primarily addressing CVE-2025-68121 through Go runtime updates, with no functional changes to certificate management operations.

  • securityUpdate to v1.18.6 for CVE-2025-68121 mitigation

    This release patches a Go runtime vulnerability (CVE-2025-68121) that could affect cert-manager security. Plan an upgrade within your standard maintenance window as this is a drop-in replacement with no configuration changes required. Test in non-production first, then roll out to production clusters.

  • enhancementSafe upgrade path for production workloads

    Since this is purely a security patch with no functional changes, you can upgrade with confidence using your existing deployment processes. The update maintains full backward compatibility, making it suitable for automated deployment pipelines without additional testing overhead.

主な変更 (4)
  • Go runtime updated to address CVE-2025-68121 security vulnerability
  • CVE-2026-24051 left unpatched as it only affects macOS environments
  • Pure security patch with no breaking changes or new features
  • Maintains compatibility with existing cert-manager deployments
原文

OpenFGA

Security2026年2月23日

日本語 準備中OpenFGA v1.11.6 enables ListObjects pipeline by default for improved performance, upgrades gRPC client implementation, and addresses a security vulnerability in grpc-health-probe.

  • securityUpdate deployments using grpc-health-probe

    If you're using grpc-health-probe for health checks in your OpenFGA deployments, this update addresses CVE-2025-68121. Verify your container images are pulling the latest version and update any standalone grpc-health-probe binaries.

  • enhancementTest ListObjects pipeline performance impact

    The new default ListObjects pipeline algorithm may improve query performance but could change behavior. Monitor your ListObjects API calls after upgrade and be prepared to disable it with listObjects-pipeline-enabled=false if you encounter issues.

主な変更 (3)
  • ListObjects pipeline algorithm now enabled by default (can be disabled with listObjects-pipeline-enabled=false)
  • Migration from deprecated grpc.DialContext to grpc.NewClient for grpc-gateway client
  • Security update: grpc-health-probe bumped to v0.4.45 addressing CVE-2025-68121
原文

Keycloak

Security2026年2月20日

日本語 準備中Keycloak 26.5.4 is a critical security patch release addressing 5 CVEs including SAML vulnerabilities and authorization bypass issues. Includes performance improvements and cluster stability fixes.

  • securityImmediate upgrade required for multiple CVEs

    This release fixes 5 CVEs including authorization bypass and DoS vulnerabilities. Review your SAML configurations and Docker registry protocol usage. Schedule immediate upgrade during next maintenance window, especially if using SAML brokering or have Docker registry integrations.

  • securityVerify client secret exposure in configurations

    CVE fix addresses client secret disclosure on unauthenticated endpoints. After upgrade, audit your client configurations and rotate any potentially exposed secrets. Review access logs for unauthorized config endpoint access.

  • enhancementOptimize cluster performance post-upgrade

    New session ID key affinity and improved caching will enhance performance in clustered deployments. Monitor login page response times and cluster stability after upgrade - you should see reduced database queries and better load distribution.

主な変更 (5)
  • Fixed 5 critical CVEs including SAML response delays, authorization header parsing bypass, and DoS vulnerabilities
  • Resolved client secret information disclosure on unauthenticated config endpoints
  • Enhanced session ID key affinity mechanism for improved load balancing
  • Fixed cluster rejoining issues with 3+ node configurations using jdbc-ping
  • Improved database query caching performance on login page loads
原文

Kyverno

Security2026年2月19日

日本語 準備中Kyverno v1.17.1 is a focused patch release fixing a CVE, multiple crash/panic conditions, race conditions, and image verification bugs that could silently misbehave in production.

  • securityPatch CVE-2025-68121 now

    CVE-2025-68121 is fixed in this release. Details on scope are limited in the notes, but any CVE fix in an admission controller warrants immediate attention. If you're on v1.17.0, upgrade to v1.17.1 before doing anything else. Don't wait for your next maintenance window.

  • breakingVerify your policy exclusion rules if you use empty lists

    A bug was fixed where an empty list in a policy exclusion would silently exclude ALL resources instead of none. If you have any ClusterPolicy or Policy with exclusion blocks, audit them now. If you were unknowingly relying on empty-list-as-exclude-all behavior (unlikely but possible), your policies will now behave correctly — meaning resources that were previously skipped will now be evaluated.

  • enhancementImage verification with TSA and private registries is now reliable

    Two separate ivpol fixes land here: signed timestamp verification is now correctly enabled when a TSACertChain is provided, and private registry secrets in the Kyverno namespace are now used during background report scanning. If you've been seeing unexpected verification failures in background scans or with TSA-based signature policies, upgrade and re-run your report scans to get accurate results.

主な変更 (5)
  • CVE-2025-68121 patched — update immediately if running v1.17.0
  • Panic fixed in metrics wrapper when generate response returns no result — previously could crash the controller
  • Race conditions eliminated in configuration.IsExcluded() and ReportsBreaker — affected correctness under concurrent load
  • Image verification (ivpol) fixes: private registry auth now works in reports scanner, multi-signature annotation validation bug resolved, and TSA signed timestamp verification enabled when cert chain is provided
  • Empty list in policy exclusion no longer silently excludes all resources — a subtle but dangerous behavioral bug
原文
月別に見る