RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年3月解除 ×
Open Policy Agent (OPA)v1.15.1原文2026年3月30日

cert-manager

Security2026年3月27日

日本語 準備中v1.20.1 is a targeted patch fixing an OpenShift upgrade blocker, a Gateway API duplicate parentRef bug, and a scanner-flagged gRPC dependency bump.

  • securitygRPC bump is cosmetic — but clear your scanner alerts

    The gRPC dependency was bumped purely to satisfy vulnerability scanners. The reported CVE does not affect cert-manager's code paths. No runtime risk, but if your supply chain tooling (Trivy, Grype, etc.) was flagging v1.20.0, this update will resolve those alerts. Good reason to upgrade, but no urgency beyond scanner hygiene.

  • breakingOpenShift users: upgrade to v1.20.1, skip v1.20.0

    v1.20.0 introduced a regression where the order controller lacked the necessary finalizer RBAC, breaking upgrades on OpenShift due to stricter RBAC enforcement. If you're on OpenShift and held back from v1.20.0, go straight to v1.20.1. If you somehow applied v1.20.0, verify that the ClusterRole for the order controller now includes the issuer finalizer permissions after upgrading.

  • enhancementGateway API users: fix parentRef duplication before it causes routing issues

    If you're using Gateway API integration with cert-manager and specify parent references in both the issuer config and via annotations, v1.20.0 would generate duplicate parentRef entries. This can cause unpredictable behavior depending on your gateway implementation. Upgrading to v1.20.1 resolves this — review any existing certificates using both mechanisms to confirm they're clean post-upgrade.

主な変更 (3)
  • Fixed missing issuer finalizer RBAC on the order controller — OpenShift users were blocked from upgrading to v1.20.0
  • Fixed duplicate parentRef entries in Gateway API when both issuer config and annotations specify parent references
  • Bumped google.golang.org/grpc to silence scanner alerts (no actual exploitable vulnerability in cert-manager's usage)
原文

Open Policy Agent (OPA)

Security2026年3月26日

日本語 準備中OPA v1.15.0 adds a pluggable logging system with file rotation, breaks custom HTTPAuthPlugin implementations, and extends AWS signing to support web identity credentials.

  • breakingAudit and fix custom HTTPAuthPlugin implementations before upgrading

    If you've built a custom HTTPAuthPlugin, NewClient() is now called once per Client instance, not per request. Any per-request logic (counters, transport wrapping, logging side effects) sitting in NewClient() will now execute exactly once and silently produce wrong behavior. Before upgrading, audit your plugin and move all per-request logic to Prepare(). OPA's own built-in plugins are already updated, so this only affects teams with custom plugins.

  • enhancementAdopt the file logger plugin to consolidate OPA log management

    The new file_logger plugin writes structured JSON logs with automatic rotation, covering both runtime and decision logs through a single configuration block under server.logger_plugin. If you're currently tailing OPA stdout or piping to an external log shipper, switching to the file logger reduces operational complexity and gives you rotation out of the box. Decision log plugin output via the same logger plugin is a clean alternative to the HTTP bundle endpoint for low-latency environments.

  • enhancementEnable web identity credentials for AWS-backed OPA deployments on EKS

    OPA running on EKS with IRSA (IAM Roles for Service Accounts) can now use Web Identity tokens directly for Assume Role credential flows in AWS Signing. If you've been working around this with instance profile credentials or manual token injection, you can now configure this natively. Update your REST plugin AWS signing config to use the web identity provider and align with standard EKS IAM patterns.

主な変更 (5)
  • New logger plugin interface (based on Go's slog.Handler) lets you route OPA runtime and decision logs to custom destinations, including a built-in file logger with rotation via lumberjack
  • Breaking: HTTPAuthPlugin.NewClient() is now called once and cached — per-request logic there will silently stop working; move it to Prepare()
  • AWS Signing now supports Web Identity (Service Account) credentials for Assume Role flows
  • TLS client cert re-reads are now configurable via cert_reread_interval_seconds, with content hashing to skip unnecessary re-parses
  • All TLS configurations now inherit server-level minimum version and ciphersuite settings — previously per-client TLS configs could diverge
原文

OpenFGA

Security2026年3月23日

日本語 準備中OpenFGA v1.13.0 ships AuthZen v1.0 support, separates Check v1/v2 caches, and hardens the resolver pipeline against panics.

  • securityUpgrade to stop resolver panics from taking down the server

    Unhandled panics in the pipeline base resolver previously had the potential to crash the OpenFGA process entirely. The fix converts these to returned errors, keeping the server running. If you've seen unexpected OpenFGA restarts under complex authorization graph evaluations, this is likely why. Upgrade promptly — this is a reliability fix with meaningful availability implications.

  • breakingSeparate Check v1/v2 caches may change cache hit behavior — review your cache sizing

    Previously, Check v1 and v2 shared a single cache, which could lead to cross-contamination but also inadvertent cache hits. Now they're isolated. If you're running both API versions concurrently, your effective cache hit rate may drop and memory usage could shift. Revisit your cache capacity configuration after upgrading and monitor cache hit ratios in your observability stack.

  • enhancementEvaluate AuthZen v1.0 for cross-system authorization interop

    AuthZen v1.0 is the emerging standard for authorization API interoperability across CNCF and broader ecosystem tools. If you're integrating OpenFGA with other policy engines or building a multi-system authz layer, test the new AuthZen endpoint now. Early adoption means your integration patterns align with where the ecosystem is heading rather than needing a retrofit later.

主な変更 (4)
  • AuthZen v1.0 standard implemented — OpenFGA now speaks the CNCF authorization interoperability spec
  • Separate cache layers for Check v1 and Check v2 APIs, preventing cross-version cache pollution
  • Panics in the pipeline's base resolver are now caught and returned as errors instead of crashing the process
  • List-objects span aggregation improved — message stats per sender now roll up into a single trace span for cleaner observability
原文

OpenFGA

Security2026年3月19日

日本語 準備中v1.12.1 is a focused maintenance release fixing OTLP endpoint URI parsing and improving ListObjects pipeline internals with Go native channels.

  • breakingOTLP https:// scheme now forces TLS regardless of your config flag

    If you set OTEL_EXPORTER_OTLP_ENDPOINT with an https:// scheme, TLS will be enabled even if trace.otlp.tls.enabled is false. Audit your observability configs before upgrading — any environment using https:// endpoints with TLS explicitly disabled will now have TLS enabled. This is almost certainly the correct behavior, but verify your collector setup accepts TLS connections.

  • enhancementOTLP endpoint URIs with schemes finally work — clean up your workarounds

    Previously, passing a full URI like http://host:4317 to OTEL_EXPORTER_OTLP_ENDPOINT would break because the scheme wasn't stripped before reaching the gRPC exporter. If you've been working around this by omitting the scheme, you can now use standard URI formats. Update your deployment configs and remove any manual scheme-stripping logic.

  • enhancementListObjects performance improvement — no action needed, just upgrade

    Replacing the custom Pipe implementation with Go native channels reduces internal complexity and can improve throughput for ListObjects calls under concurrent load. No API changes, no config changes needed. The tuple validation refactor compounds this. If you're running OpenFGA at scale with heavy ListObjects usage, this patch is worth taking.

主な変更 (4)
  • ListObjects pipeline now uses Go native channels instead of a custom Pipe implementation — cleaner concurrency, better debuggability
  • Tuple validation and manipulation functions refactored for better performance under load
  • grpc-go bumped to v1.79.3 and grpc-health-probe to v0.4.47 — dependency hygiene
  • OTEL_EXPORTER_OTLP_ENDPOINT now correctly handles URIs with schemes like http:// or https://, stripping the scheme before passing to gRPC exporter
原文

Keycloak

Security2026年3月19日

日本語 準備中Keycloak 26.5.6 is a critical security release patching 8 CVEs spanning SSRF, token reuse, IDOR, privilege escalation, and multiple information disclosure vulnerabilities. Upgrade immediately.

  • securityPatch all 8 CVEs — upgrade to 26.5.6 now

    This release fixes eight CVEs covering SSRF, token replay, privilege escalation, IDOR, and multiple information disclosure paths. Three of these (SSRF via jwks_uri, privilege escalation via manage-clients, and auth session contamination) are particularly dangerous in multi-tenant or public-facing deployments. There is no workaround — upgrade is the only fix. If you're on any 26.x version, treat this as an emergency patch.

  • securityAudit manage-clients grants and OIDC Dynamic Client Registration usage

    CVE-2026-3121 (privilege escalation via manage-clients) and CVE-2026-1180 (SSRF via jwks_uri in dynamic client registration) both require reviewing your current permission grants and feature flags. After upgrading, audit which users/service accounts hold manage-clients. If you don't use OIDC Dynamic Client Registration, disable it at the realm level to eliminate the SSRF attack surface entirely.

  • breakingVerify Operator DB config and multi-realm startup behavior post-upgrade

    The 26.5.0 Operator regression for DB targetServerType=primary (affecting master-replica failover) and the O(N²) startup scan introduced in 26.5.4 are both fixed here. If you hit either of these bugs, validate your DB connection failover behavior and startup times after upgrading. Large deployments with many realms should see noticeably faster restarts.

主な変更 (6)
  • CVE-2026-1180: Blind SSRF via OIDC Dynamic Client Registration jwks_uri — attackers can probe internal network endpoints
  • CVE-2026-1035: Refresh token reuse bypass via TOCTOU race condition — token replay attacks become possible
  • CVE-2026-3121: Privilege escalation via manage-clients permission — low-privilege users may gain elevated access
  • CVE-2025-14777: IDOR in realm client create/delete — unauthorized cross-realm client manipulation
  • Bug fix: AUTH_SESSION_ID cookie reuse caused cross-user session contamination on re-authentication — a serious data isolation issue
  • Bug fix: O(N²) startup regression with many realms introduced in 26.5.4 is resolved — large deployments were severely impacted
原文

Cloud Custodian

Security2026年3月18日

日本語 準備中A broad feature release adding 12+ new AWS resources, new upgrade-available filters for EKS/Elasticsearch, Azure Entra ID resources, and GCP Vertex AI support. Several bug fixes address S3 cache staleness, GuardDuty validation, and IAM user errors.

  • enhancementAudit EKS and Elasticsearch upgrade readiness now

    The new upgrade-available filter for both EKS and Elasticsearch means you can write policies that flag clusters where a newer version exists. If you've been tracking version compliance manually, replace that with a c7n policy using the upgrade-available filter and route matches to notify or tag. Good timing before any end-of-support deadlines.

  • enhancementAdd whitelist_patterns to cross-account filters using deleted principals

    If your cross-account policies flag deleted IAM principals as violations, you've likely been dealing with false positives. The new whitelist_patterns parameter on the cross-account filter lets you skip ARN patterns for known-deleted or transient principals. Review your existing cross-account policies and add patterns for any deleted accounts or service-linked roles you see repeated in output.

  • enhancementAudit Azure Entra ID security posture with new resource types

    Four new Entra ID resource types — conditional-access-policy, authorization-policy, named-location, security-defaults — are now queryable. If you manage Azure security baselines, write policies to check that security defaults are enabled and conditional access policies match your org's requirements. This fills a gap that previously required separate tooling.

主な変更 (5)
  • New upgrade-available filters for EKS and Elasticsearch let you proactively find clusters running outdated versions
  • 12 new AWS resource types added: savings-plan, vpc-lattice-listener, directconnect-gateway, bedrock-inference-profile, transfer-connector, and more
  • Azure Entra ID resources now manageable: conditional-access-policy, authorization-policy, named-location, and security-defaults
  • GCP gains Vertex AI resources (endpoint, batch-prediction-job) and expanded set-labels support across BigQuery, BigTable, KMS, and GCS buckets
  • cross-account filter gets whitelist_patterns to skip deleted IAM principals, and org-id + wildcard joint conditions now handled correctly
原文

SPIRE

Security2026年3月18日

日本語 準備中v1.14.3 patches a TLS session resumption bypass that could skip certificate chain validation, plus fixes node cache rebuild and several reliability issues in AWS and federation scenarios.

  • securityUpgrade immediately to fix TLS session ticket bypass

    TLS session resumption on SPIRE Server's TCP endpoint was allowing reconnecting clients to skip SPIFFE certificate chain validation — meaning a client with an expired or revoked cert could potentially reconnect without re-validation against the current trust bundle. This is a meaningful trust boundary violation. Upgrade to v1.14.3 now. No config change needed; the fix disables session tickets server-side automatically.

  • securitySelector data no longer leaks into agent logs

    Selectors can encode workload identity details (e.g., Kubernetes pod labels, Unix UIDs, AWS metadata) that you may not want in logs. Previously, these were logged at agent level. After upgrading, audit your existing log pipelines and retention policies — any historical logs may still contain this data.

  • breakingPQC users must migrate from Kyber draft to X25519MLKEM768

    If you've enabled RequirePQKEM TLS policy, the underlying algorithm changes from the draft x25519Kyber768Draft00 to the standardized X25519MLKEM768. Both peers must be running v1.14.3+ before this takes effect, otherwise TLS handshakes will fail. Plan a coordinated upgrade of agents and server if you're using this policy.

  • enhancementNode cache rebuild fix is critical for long-running agents

    The periodic node cache rebuild was executing only once after startup instead of on its configured interval. Over time, agents in environments with frequent workload changes would serve stale cache data. This is silently fixed in v1.14.3 — no config changes needed, but you should upgrade agents promptly, especially in dynamic environments.

主な変更 (5)
  • TLS session ticket resumption on server TCP endpoints disabled — was allowing connections to bypass SPIFFE certificate chain validation against the current trust bundle
  • Selectors no longer logged at agent level to prevent sensitive info leakage
  • RequirePQKEM policy updated from draft x25519Kyber768Draft00 to standardized X25519MLKEM768
  • Node cache periodic rebuild was silently running only once — now correctly loops at configured interval
  • ReadOnlyEntry.Clone() bug fixed: Admin boolean was bleeding into Downstream field, corrupting authorization metadata for GetAuthorizedEntries/SyncAuthorizedEntries clients
原文

Kubescape

Security2026年3月17日

日本語 準備中Kubescape v4.0.3 is a small patch release adding a --grype-db-url flag for offline/airgapped Grype database usage, plus a bug fix for missing host errors and dependency bumps.

  • securitygo-git updated to v5.16.5 — pull this upgrade promptly

    go-git patch releases frequently address vulnerabilities in git protocol parsing. Review the go-git v5.16.5 changelog to confirm whether any CVEs are addressed, and prioritize this upgrade if your Kubescape usage involves scanning git repositories or if you embed Kubescape as a library.

  • breakingMissing host now returns an error — check your error handling

    Previously, a missing host in scan targets silently returned nil instead of an error. If your pipelines or scripts were treating a zero-exit-code as success in these cases, they may now surface failures they were previously ignoring. Test your scan workflows after upgrading to make sure error handling behaves as expected.

  • enhancementUse --grype-db-url for airgapped or private mirror setups

    If you run Kubescape in environments without direct internet access, the new --grype-db-url flag lets you point image scans at an internal Grype DB mirror. Set this in your CI pipelines or operator configs now rather than patching environment variables or workarounds you may have hacked together previously.

主な変更 (5)
  • New --grype-db-url flag on 'kubescape scan' lets you override the default Grype vulnerability database URL
  • Fixed a bug where a missing host did not return a proper non-nil error, which could silently swallow scan failures
  • go-git bumped to v5.16.5 (likely security/bug fixes in git operations)
  • OpenTelemetry SDK bumped to 1.40.0
  • Added debug logging for scanInfo.ListingURL to aid troubleshooting Grype DB fetches
原文

OpenFGA

Security2026年3月13日

日本語 準備中OpenFGA v1.12.0 improves operational reliability with automatic TLS certificate rotation, enhanced input validation, and critical race condition fixes.

  • securityUpgrade for Go stdlib vulnerability fixes

    This release addresses two Go standard library vulnerabilities (GO-2026-4603 and GO-2026-4601). Plan your upgrade to eliminate these security risks in production deployments.

  • enhancementConfigure gRPC message size limits

    Review your current message sizes and set appropriate limits using the new configuration option to prevent resource exhaustion attacks and improve system stability.

  • enhancementBenefit from automatic certificate rotation

    If you're using cert-manager or similar certificate rotation tools, this release eliminates connection failures during certificate updates. Test your certificate rotation process after upgrading to verify the improvement.

主な変更 (5)
  • gRPC message size limits now configurable for better resource control
  • HTTP gateway automatically handles TLS certificate rotation without connection failures
  • Tuple validation rejects unicode control characters and null bytes for security
  • Race condition in check reducers fixed to prevent non-deterministic execution
  • Cache metrics corrected to prevent indefinite upward drift on overwrites
原文

cert-manager

Security2026年3月10日

日本語 準備中cert-manager v1.20.0 introduces Gateway API ListenerSet support, Azure Private DNS integration, and promotes OtherNames to Beta, while fixing several ACME and DNS-related bugs.

  • securityUpdate for DNS DoS vulnerability fix

    A moderate security issue allowed attackers to cause controller denial-of-service through malformed DNS responses. Update immediately if your cert-manager controllers are exposed to untrusted DNS servers or networks where DNS traffic could be manipulated.

  • breakingContainer UID/GID changes affect security contexts

    Default container user changed from UID 1000 to 65532, and group from GID 0 to 65532. Review your pod security policies, security contexts, and file permissions if you've hardcoded these values or rely on root group access.

  • enhancementEnable Azure Private DNS for internal certificate management

    New Azure Private DNS support allows DNS-01 challenges for private zones. Configure your Azure DNS issuer with private zone settings to manage certificates for internal services without exposing DNS records publicly.

主な変更 (5)
  • Gateway API ListenerSet resource support with experimental feature gate
  • Azure Private DNS zones support for DNS-01 challenges
  • OtherNames feature promoted to Beta and enabled by default
  • Network policy configuration flags across all containers
  • Enhanced Venafi provider with custom fields annotation support
原文

Open Policy Agent (OPA)

Security2026年3月9日

日本語 準備中OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

主な変更 (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
原文

Keycloak

Security2026年3月5日

日本語 準備中Keycloak 26.5.5 is a critical security release addressing four SAML broker vulnerabilities that could allow authentication bypass and unauthorized access in production environments.

  • securityImmediate upgrade required for SAML users

    These CVEs affect SAML broker configurations and could allow authentication bypass. If you use SAML identity providers or broker functionality, schedule emergency maintenance to upgrade immediately. Review your disabled SAML providers to ensure they're properly secured post-upgrade.

  • securityAudit SAML broker configurations

    After upgrading, verify that disabled SAML identity providers are truly disabled and cannot process authentication requests. Check your IdP-initiated login flows and ensure encryption is working correctly for SAML assertions.

主な変更 (4)
  • Fixed CVE-2026-3047: SAML broker authentication bypass when disabled client completes IdP-initiated login
  • Resolved CVE-2026-3009: Improper enforcement of disabled identity providers in broker service
  • Patched CVE-2026-2603: Disabled SAML IdPs incorrectly allowing IdP-initiated logins
  • Secured CVE-2026-2092: SAML broker encrypted assertion injection vulnerability
原文

SPIRE

Security2026年3月3日

日本語 準備中SPIRE v1.14.2 addresses two critical security vulnerabilities in server node attestor plugins that could enable SSRF attacks and CPU exhaustion.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two security issues affect SPIRE servers using http_challenge or x509pop attestors. The SSRF vulnerability lets attackers redirect servers to unauthorized domains and extract response data. The x509pop DoS vulnerability allows CPU exhaustion attacks. Update to v1.14.2 immediately if you use either attestor plugin.

主な変更 (3)
  • Fixed SSRF vulnerability in http_challenge server node attestor plugin
  • Resolved CPU exhaustion issue in x509pop server node attestor plugin
  • Both vulnerabilities could be exploited by attackers during node attestation
原文

SPIRE

Security2026年3月3日

日本語 準備中SPIRE v1.13.4 fixes two critical security vulnerabilities in node attestor plugins that could enable SSRF attacks and CPU exhaustion attacks.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two severe vulnerabilities affect node attestation security. The http_challenge plugin SSRF flaw lets attackers probe internal networks, while the x509pop plugin can be exploited for DoS attacks. Update to v1.13.4 immediately and audit recent attestation logs for suspicious activity.

  • securityReview node attestor plugin configurations

    If you use http_challenge or x509pop attestor plugins, verify your network security controls and consider temporary restrictions on node attestation endpoints until the upgrade is complete. Monitor CPU usage patterns during attestation processes.

主な変更 (4)
  • Fixed SSRF vulnerability in http_challenge server node attestor allowing attackers to redirect server requests
  • Patched CPU exhaustion attack vector in x509pop server node attestor plugin
  • Both vulnerabilities affected the node attestation process used for workload identity verification
  • Security fixes address potential unauthorized access and denial of service scenarios
原文
月別に見る