RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年3月解除 ×

Rook

Storage & Data2026年3月24日

日本語 準備中Rook v1.19.3 delivers targeted fixes and additions across CSI, pool management, OSD operations, and RGW — with a notable shift to ceph-csi-operator for CSI deployments.

  • breakingCSI now deploys via ceph-csi-operator — verify your deployment model

    The shift to ceph-csi-operator for deploying Ceph-CSI/NVMe-oF changes how CSI components are managed. If you have customized CSI sidecar configurations or rely on specific deployment behavior, audit your setup before upgrading. The ceph-csi-operator introduces its own CRDs and reconciliation loop, so any direct overrides you've applied to CSI DaemonSets or Deployments may be overwritten or ignored post-upgrade.

  • enhancementEncrypted OSD users: apply the lockbox key rotation fix now

    The lockbox key rotation bug for encrypted OSDs could leave your cluster in an inconsistent encryption state over time. If you're running encrypted OSDs, upgrade to v1.19.3 and verify key rotation is functioning correctly afterward. This is especially relevant if you've observed any anomalies during OSD replacement or key rotation workflows.

  • enhancementRGW on IPv6? The secret formatting fix is a must

    The incorrect IPv6 formatting in object store user secrets would cause connection failures in IPv6-only or dual-stack environments. If your RGW deployment uses IPv6 addressing, this fix directly unblocks proper user secret generation. After upgrading, recreate or reconcile affected object store users to pick up correctly formatted secrets.

主な変更 (5)
  • CSI deployments now go through ceph-csi-operator instead of direct management; ceph-csi image updated to v3.16.2
  • Erasure-coded pool handling improved: cleanup on deletion, correct ready status after reconcile, and mirroring skipped for EC data pools
  • Ceph-exporter gains configurable port support and orphaned deployment cleanup on reconcile
  • OSD disk cleaning now checks devlinks, and lockbox key rotation for encrypted OSDs is fixed
  • RGW fixes: correct IPv6 secret formatting for object store users, shared pools zone JSON support, and zone/sharedPools reconcile ordering
原文

Rook

Storage & Data2026年3月24日

日本語 準備中Rook v1.18.10 patches several OSD reliability issues, tightens RBAC permissions, and adds minor operational improvements to the Ceph exporter and NFS server.

  • securityAudit your Rook RBAC after upgrading — nodes/proxy grant is gone

    The operator's nodes/proxy RBAC permission has been removed. If any custom tooling or monitoring in your environment relied on Rook's ServiceAccount having that grant, it will break silently after upgrade. Review any pipelines or dashboards that use the Rook operator ServiceAccount before rolling this out to production.

  • breakingEncrypted OSD users should test key rotation after upgrading

    The lockbox key rotation logic for encrypted OSDs was updated. Encrypted OSD clusters should run a non-production upgrade first and explicitly verify key rotation still works end-to-end. The CephX key init fix (no overwrite on failure) also changes behavior during error recovery — test any failure/retry scenarios you have documented.

  • enhancementUse the new CephNFS image fields to pin or customize NFS server images

    The new spec.server.image and spec.server.imagePullPolicy fields let you specify a custom NFS Ganesha image per CephNFS resource. This is useful if you need to pin a specific version for compliance or test a patched image without waiting for a Rook release. Update your CephNFS manifests if you currently work around this with other hacks.

主な変更 (5)
  • Orphaned ceph-exporter deployments are now cleaned up automatically during reconcile
  • RBAC: nodes/proxy grants removed from the operator — reduces cluster-wide privilege footprint
  • Encrypted OSD lockbox key rotation logic updated — important for clusters using OSD encryption
  • CephX key init no longer overwrites an existing key on failure — prevents accidental key loss
  • CephNFS gains spec.server.image and spec.server.imagePullPolicy fields for custom NFS images
原文

Harbor

Storage & Data2026年3月20日

日本語 準備中Harbor v2.15.0 delivers proxy cache connection limits, per-endpoint CA certs, Cosign v3 bundle support, and a critical bearer token security fix alongside a Trivy supply chain incident bump.

  • securityUpdate immediately: Trivy supply chain incident and bearer token bypass

    Two separate security issues landed in this release. First, Trivy was bumped to v0.69.3 after a supply chain incident affecting the scanner — run this update before your next scan cycle. Second, the bearer token fix rejects tokens issued before their associated project was created, which plugs an authorization gap. Both issues warrant prompt upgrades rather than waiting for a maintenance window.

  • breakingGCR replication adapter removed — migrate any existing GCR replication rules

    The Google Container Registry adapter is gone. If you have replication rules targeting GCR endpoints, they will break silently after upgrading. Migrate those rules to use Artifact Registry (GAR) endpoints before upgrading to v2.15.0. Also, if you were using proxy cache projects pointed at GCR, those need to be reconfigured.

  • enhancementCap proxy cache upstream connections to protect upstream registries

    The new `max_upstream_conn` parameter lets you throttle outbound connections per proxy cache project. If you're running Harbor as a pull-through cache for Docker Hub or other rate-limited registries, set this to avoid hitting upstream rate limits or overwhelming self-hosted registries. Configure it per-project via the UI or API after upgrading.

主な変更 (7)
  • Proxy cache projects now support configurable upstream connection limits via `max_upstream_conn` parameter, controllable through the UI
  • Per-endpoint CA certificate support added for registry endpoints, useful for private registries with custom PKI
  • Bearer tokens issued before project creation are now rejected — closes a subtle authorization bypass
  • Trivy bumped to v0.69.3 following a supply chain incident; this was a reactive security response, not a routine update
  • Cosign v3 Bundle signature format supported, and Harbor release artifacts are now signed with Cosign keyless signing
  • GCR replication adapter removed since Google Cloud Registry accounts are decommissioned
  • Audit log to DB can now be disabled at initialization, reducing write load for high-throughput environments
原文

Longhorn

Storage & Data2026年3月13日

日本語 準備中Longhorn v1.11.1 delivers critical bug fixes including a major memory leak in instance manager pods and backup failures with S3-compatible storage, making it an urgent upgrade for v1.11.0 users.

  • securityBackup restore functionality compromised

    S3-compatible backup targets (Storj, GCS) were failing due to AWS SDK v2 authorization issues. Test your backup and restore workflows after upgrading, especially if using non-AWS S3 endpoints. Verify large backup transfers complete successfully.

  • breakingUrgent upgrade required for v1.11.0 users

    Users running v1.11.0 experiencing high memory usage in instance manager pods must upgrade immediately. The memory leak can cause cluster instability and pod evictions. Plan upgrade maintenance window and monitor memory usage during rollout.

  • enhancementImproved scheduling with topology awareness

    New CSI topology-aware nodeAffinity controls provide better volume placement. Review your storage class configurations to leverage allowedTopologies and strictTopology settings for multi-zone deployments and specific node scheduling requirements.

主な変更 (5)
  • Fixed critical memory leak in longhorn-instance-manager pods caused by proxy connection leaks
  • Resolved AWS SDK v2 compatibility issues causing backup failures to S3-compatible storage like Storj and GCS
  • Enhanced V2 Data Engine with improved fast replica rebuild and clone functionality
  • Added CSI topology-aware PV nodeAffinity control for better scheduling
  • Fixed storage double-counting that caused scheduling failures when multiple replicas exist on same node
原文

Dragonfly

Storage & Data2026年3月11日

日本語 準備中Dragonfly v2.4.3 is a pure maintenance release focusing on dependency updates and security patches, with no functional changes for users.

  • securityApply routine security updates

    This patch release includes dependency updates that may contain security fixes. Update your Dragonfly deployments to v2.4.3 during your next maintenance window. The upgrade should be seamless with no breaking changes or configuration updates required.

  • enhancementImproved observability with OpenTelemetry updates

    The OpenTelemetry library updates from v0.63.0 to v0.67.0 provide better tracing capabilities. If you're using distributed tracing with Dragonfly, you may see improved trace collection and reduced overhead after upgrading.

主な変更 (5)
  • Updated OpenTelemetry libraries from v0.63.0 to v0.67.0 for improved observability
  • Upgraded Docker actions to v4.0.0 for GitHub CI/CD workflows
  • Bumped Golang system dependencies including oauth2 and sys packages
  • Updated d7y.io/api to v2.2.24 for latest API compatibility
  • Refreshed GitHub Actions dependencies for stale issue management
原文

Harbor

Storage & Data2026年3月10日

日本語 準備中Harbor v2.13.5 focuses on security improvements with stricter bearer token validation and removes sensitive configuration data from audit logs.

  • securityBearer token security enforcement requires review

    Harbor now rejects bearer tokens issued before project creation, which could break existing integrations using older tokens. Audit your CI/CD pipelines and automation scripts that authenticate with Harbor to ensure they regenerate tokens after this upgrade.

  • enhancementAudit log cleanup improves security posture

    Configuration payloads are no longer logged in audit trails, reducing exposure of sensitive settings. Review your log monitoring and compliance processes to ensure they still capture necessary security events without relying on configuration data in logs.

  • enhancementUpdated Trivy brings latest vulnerability definitions

    Trivy v0.69.3 includes newer vulnerability databases and detection rules. Schedule a rescan of your container images to identify any newly discovered vulnerabilities that weren't caught in previous scans.

主な変更 (5)
  • Removed payload from configuration audit logs to prevent sensitive data exposure
  • Enhanced bearer token security by rejecting tokens issued before project creation
  • Updated Trivy scanner to v0.69.3 and adapter to v0.35.1 for latest vulnerability detection
  • Upgraded Go runtime and base container images for security patches
  • Fixed CI pipeline compatibility with newer Docker versions
原文

Harbor

Storage & Data2026年3月10日

日本語 準備中Harbor v2.14.3 delivers critical security fixes for bearer token validation and updates Trivy scanner to version 0.69.3, focusing on hardening authentication mechanisms and keeping vulnerability detection current.

  • securityUpdate immediately for bearer token fix

    This release patches a security flaw where Harbor accepted bearer tokens issued before project creation. Deploy v2.14.3 immediately if you use token-based authentication, as this could allow unauthorized access to projects.

  • enhancementBenefit from updated Trivy scanning

    Trivy v0.69.3 includes the latest vulnerability database and detection capabilities. Schedule a rescan of your critical images after upgrading to catch newly discovered vulnerabilities that older versions missed.

  • enhancementReview audit log configurations

    Sensitive payload data has been removed from configuration audit logs to prevent credential exposure. Verify your log monitoring tools still capture the security events you need after this change.

主な変更 (5)
  • Bearer token security fix preventing acceptance of tokens issued before project creation
  • Trivy vulnerability scanner updated to v0.69.3 with adapter v0.35.1
  • Configuration audit log no longer includes sensitive payload data
  • Base image refresh and Go dependency updates for improved security posture
  • GitHub Actions workflows migrated to ubuntu-latest runners
原文

Dragonfly

Storage & Data2026年3月9日

日本語 準備中Dragonfly v2.4.2 adds gRPC rate limiting and scheduler cluster configuration while improving security scores and fixing several configuration inconsistencies.

  • breakingUpdate configuration files for renamed fields

    The rateLimit configuration field was renamed to bandwidthLimit. Check your configuration files and update any references to use the new naming convention to avoid configuration parsing errors.

  • enhancementConfigure gRPC rate limiting for production

    The new gRPC rate limiting feature protects against resource exhaustion attacks. Review your current traffic patterns and configure appropriate rate limits in your Dragonfly configuration to prevent service degradation under load.

  • enhancementLeverage new scheduler cluster management

    With scheduler cluster de-registration support, implement proper cluster lifecycle management in your deployment scripts. This helps maintain cluster health and prevents orphaned schedulers from affecting performance.

主な変更 (5)
  • Added gRPC server request rate limiting to prevent resource exhaustion
  • Introduced scheduler cluster de-registration support for better cluster management
  • Added seed client configuration support for improved peer connectivity
  • Refactored configuration naming for consistency (rateLimit → bandwidthLimit)
  • Upgraded API to v2.2.14 and multiple dependency updates for security patches
原文
月別に見る