RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年4月解除 ×

containerd

Kubernetes Core2026年4月30日

日本語 準備中containerd 2.3.0 is the first LTS release under the new Kubernetes-aligned 4-month cadence, offering 2+ years of support with major NRI, EROFS, and observability improvements.

  • breakingRename NRI plugins with commas in their names before upgrading

    The new OCI hook owner accumulation logic uses commas as delimiters internally, so any NRI plugin whose name contains a comma will break. Audit your NRI plugin names now. If any contain commas, rename them before rolling out 2.3.0 — this affects both the plugin binary name and any configuration referencing it.

  • enhancementPlan your 1.7 → 2.3 LTS migration now

    This is the designated upgrade target from containerd 1.7 LTS. The project explicitly tests and supports direct sequential LTS-to-LTS upgrades. If you're still on 1.7, this is the right time to build a migration plan — 2.3 gets at least two years of support, making it the stable foundation for Kubernetes clusters through roughly 2027.

  • enhancementEnable trace propagation for better plugin and runtime observability

    OTel traces now flow through gRPC RPCs between containerd and its plugins, and trace IDs can be injected into log lines. If you run a distributed tracing stack (Jaeger, Tempo, etc.), configure the OTLP exporter in containerd's config and enable trace ID injection in logging. This closes a major gap where container lifecycle events were invisible to your tracing backend.

主な変更 (5)
  • First LTS release in the 2.x line — direct upgrade path from 1.7 LTS is tested and supported
  • NRI gets massive capability expansion: user/group IDs, seccomp policy, rlimits, sysctls, network devices, Intel RDT, and kernel scheduling policy now all passable to plugins
  • EROFS support matures with zstd-wrapped layers, dmverity integration, and native container image media types
  • OpenTelemetry traces now propagate through outgoing gRPC RPCs from plugin clients, with trace ID injection into logs
  • NRI breaking change: commas are no longer allowed in plugin names due to OCI hook owner accumulation logic
原文

OpenFeature

CI/CD & App Delivery2026年4月30日

日本語 準備中flagd core v0.15.5 fixes evaluation correctness bugs in fractional rollouts and JSONLogic and/or operators — teams relying on complex flag targeting rules should upgrade.

  • securityDependency security alerts resolved

    Dependabot security alerts were resolved in this release. No CVEs are called out explicitly, but the dependency updates address known vulnerabilities in transitive deps. Upgrade if you're running flagd in a security-sensitive environment.

  • breakingFractional evaluator fix: upgrade if you use targeting keys

    Null or missing targeting keys in fractional evaluators previously caused undefined behavior. If your flag rules use fractional/percentage rollouts and some users may lack a targeting key (e.g. anonymous users), upgrade to avoid incorrect bucket assignments.

  • breakingJSONLogic and/or bug fix may change evaluation results

    The jsonlogic and/or operator bug could cause flag rules with compound boolean logic to evaluate incorrectly. Review any rules relying on and/or conditions after upgrading — results may change from what you saw in v0.15.4.

主な変更 (5)
  • Fractional evaluator now handles missing or null targeting keys without crashing or misbehaving
  • JSONLogic and/or operator bug fixed — compound boolean flag rules evaluate correctly now
  • Custom operator conformance fixes improve spec compliance
  • OTel service name and version can now be overridden correctly
  • Dependabot security alert dependencies updated
原文

Argo

CI/CD & App Delivery2026年4月30日

日本語 準備中v3.3.9 is a focused patch addressing four bugs — including a panic in ApplicationSet DuckType Generator and a UI crash in pod logs — plus a Go version bump to resolve CVEs.

  • securityUpgrade to patch Go-level CVEs

    The Go runtime was bumped specifically to resolve CVEs. The release notes don't enumerate the exact CVE IDs, but if you're running 3.3.x in production, upgrade to 3.3.9 now rather than waiting for your next maintenance window. All container images are cosign-signed and SLSA Level 3 provenance is available — verify signatures before deploying if your pipeline requires it.

  • breakingApplicationSet DuckType Generator panic is now fixed — review affected ApplicationSets

    If you use DuckType Generators and have clusters with non-string label values, previous versions would silently panic. After upgrading, those ApplicationSets will now process correctly rather than crashing. Do a quick audit of your ApplicationSet resources post-upgrade to confirm they're reconciling as expected — you may see previously-failing sets suddenly become active.

  • enhancementOCI metadata caching restored — expect reduced registry pressure

    The Redis cache for OCI metadata was broken, meaning every OCI source lookup was hitting the registry directly. With this fix, caching works again. If you use OCI-sourced ApplicationSets or Helm charts, you should see reduced latency and fewer registry requests after upgrading. No configuration change needed.

主な変更 (5)
  • Fixed panic in ApplicationSet DuckType Generator when encountering non-string values in cluster labels
  • Fixed pod logs viewer UI crash caused by stale container index references
  • Fixed double-delete error on the server side to prevent spurious errors during cleanup operations
  • Fixed OCI metadata put/get to/from Redis cache, restoring proper caching behavior
  • Bumped Go version to patch CVEs in the Go standard library
原文

Argo

CI/CD & App Delivery2026年4月30日

日本語 準備中Argo CD v3.2.11 is a patch release fixing three UI/server bugs — a double-delete error, a 401 stream crash, and a pod logs viewer crash on stale container indices.

  • enhancementApply this patch if your team uses the pod logs viewer or streaming UI features

    Two of the three fixes target UI stability — the pod logs crash on stale container indices and the 401 stream error. Both are silent killers in day-to-day operations: engineers open the logs viewer during an incident and hit a blank screen or crash. Drop this patch into your next maintenance window. No config changes needed.

  • enhancementDouble-delete server error is fixed — relevant if you use automated cleanup workflows

    If your pipelines or operators trigger multiple delete attempts on the same Argo CD resource (common in GitOps reconciliation loops or scripted teardowns), the server previously returned an error on the second attempt. This is now handled gracefully. No action required beyond upgrading.

主な変更 (5)
  • Fixed server error when a second delete operation is attempted on the same resource
  • Fixed UI crash when a 401 unauthorized error occurs in a streaming connection
  • Fixed pod logs viewer crash caused by stale container index references
  • Bumped SonarQube scan action dependency from 5.3.1 to 8.0.0
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

Open Policy Agent (OPA)

Security2026年4月30日

日本語 準備中v1.16.0 brings new URI builtins, Data API metadata support, OTLP metrics export, and critical fixes for log dropping and log buffer eviction bugs introduced in v1.15.x.

  • securityunits.parse_bytes exponent cap prevents timeout bypass

    Extremely large exponent values in units.parse_bytes could be used to cause evaluation timeouts, potentially bypassing policy enforcement. This is fixed in v1.16.0 by capping the exponent size. If your policies accept user-controlled input that gets passed to units.parse_bytes, this fix is directly relevant — upgrade and review any policies that parse byte strings from untrusted sources.

  • breakingUpgrade from v1.15.x immediately — logs are silently dropped

    A BufferedLogger bug in v1.15.x caused bundle download logs, print() debug output, and plugin logs to be dropped after the first flush. This is silent data loss in your observability stack. If you're running v1.15.x in any environment where decision logs or debug output matter, upgrade to v1.16.0 now. Check your log pipeline for gaps if you've been running v1.15.x in production.

  • enhancementUse new uri.parse / uri.is_valid builtins to replace fragile regex-based URL validation

    Many OPA policies today use regex or string manipulation to validate or decompose URLs — a brittle approach. The new uri.parse builtin returns structured RFC 3986 components (scheme, host, path, query, etc.), and uri.is_valid does a clean true/false structural check. If you have policies handling redirect URIs, webhook URLs, or any URL-bearing input, replace your custom parsing logic with these builtins. The structured output makes it easier to write precise, readable rules.

主な変更 (5)
  • New uri.parse and uri.is_valid builtins for RFC 3986-compliant URI handling in policy
  • Data API now supports request/response metadata for wrapping projects — custom fields logged under decision log Custom['request_metadata']
  • Prometheus metrics can now be exported via OTLP, unifying observability pipelines
  • Critical fix: v1.15.x dropped logs for bundle downloads, print() calls, and plugin-originated logs — upgrade immediately if on v1.15.x
  • units.parse_bytes exponent size now capped to prevent potential timeout bypass (security hardening)
原文

NATS

Networking & Messaging2026年4月30日

日本語 準備中NATS v2.14.0 (skipping 2.13.x) brings JetStream scheduling, fast-ingest batch publishing, consumer reset API, and critical Raft data-loss fixes. Review the upgrade guide before deploying.

  • breakingRead the 2.14 Upgrade Guide — 2.13.x was skipped

    This release jumps from 2.12.x to 2.14.x. The upgrade guide covers backwards compatibility breaks you must address. If you use ACLs on JetStream ACK or flow control subjects, the new domain-aware format ($JS.ACK.domain.acchash.stream.consumer.>) is disabled by default now but becomes the default in v2.15 — start updating your ACL rules now so the v2.15 upgrade isn't a fire drill.

  • breakingRaft startup now fails on corrupt/missing snapshots — test your recovery procedures

    Previously, a node with a corrupt or misaligned snapshot might start silently with bad state. Now it refuses to start. This is the right behavior, but if you have any clusters with questionable disk health or have experienced unclean shutdowns, validate your snapshot integrity before rolling this upgrade out. Ensure your ops runbook covers the recovery path for this scenario.

  • enhancementConsumer Reset API removes a painful operational pattern

    Rewinding a consumer previously meant deleting and recreating it — disruptive and error-prone. The new $JS.API.CONSUMER.RESET API lets you move a consumer back to an earlier sequence in place. If you maintain any tooling or runbooks that handle consumer rewind or replay scenarios, update them to use this API. It's also useful for incident recovery workflows.

主な変更 (5)
  • Fast-ingest batch publishing for high-throughput JetStream workloads (ADR-50)
  • Repeating/cron-based message schedules via Nats-Schedule header (ADR-51)
  • Consumer reset API — rewind a consumer without delete/recreate
  • Domain-aware ACK/FC subjects (js_ack_fc_v2 flag, becomes default in v2.15)
  • Raft nodes no longer start on missing/corrupt snapshots, preventing silent data loss
原文

Vitess

Storage & Data2026年4月30日

日本語 準備中Vitess v24 ships structured JSON logging by default, window function pushdown for sharded keyspaces, OpenTelemetry tracing, and a security fix for backup manifest command injection. 460 PRs merged.

  • securityBackup MANIFEST command injection is now blocked by default

    Prior to v24, an attacker with write access to backup storage could modify the MANIFEST file to inject arbitrary shell commands that VTTablet would execute during restore. This is now blocked — the MANIFEST decompressor field is ignored unless you explicitly pass --external-decompressor-use-manifest. If you're on v23 or earlier, treat backup storage access controls as a security boundary and audit who can write to it.

  • breakingAudit backup restore configs for MANIFEST decompressor

    If your VTTablet restore process relied on the decompressor command stored in backup MANIFESTs (i.e., you never set --external-decompressor but backups still decompressed), restores will silently skip decompression in v24 and likely fail. Add --external-decompressor-use-manifest to your VTTablet config to preserve old behavior, but read the security advisory first: a compromised backup store could execute arbitrary commands on your tablet. Evaluate whether you actually need this or can pass --external-decompressor explicitly instead.

  • breakingRemove deprecated VTOrc API endpoint and metric references

    The /api/replication-analysis endpoint returns 404 in v24 — any monitoring scripts, Grafana dashboards, or alerting rules hitting that URL will break silently or with errors. Switch to /api/detection-analysis (same params, same response format). Also replace DiscoverInstanceTimings with DiscoveryInstanceTimings in dashboards. Do this before deploying v24 to production.

  • enhancementMigrate tracing to OpenTelemetry now, not in v25

    opentracing-jaeger and opentracing-datadog are deprecated in v24 and will be removed in v25. The migration is straightforward: replace --tracer opentracing-jaeger with --tracer opentelemetry, and swap --jaeger-agent-host host:port for --otel-endpoint host:4317. Jaeger v1.35+ accepts OTLP on port 4317 by default. Datadog users should point to the Agent's OTLP ingestion endpoint. Do this upgrade cycle, not the next one.

  • enhancementAdd --cell flag to VTOrc now

    --cell is optional in v24 but becomes required in v25. Multi-cell deployments especially should add it now — startup validation against the topology will catch misconfiguration early, and it unblocks future cross-cell recovery logic in VTOrc. One flag, no downtime, avoids a forced change next release.

主な変更 (6)
  • Structured JSON logging is now the default (--log-format=text for human-readable; glog deprecated, removed in v25)
  • Window functions can now push down to shards when PARTITION BY matches a unique vindex — no more forced single-shard routing
  • External decompressor command from backup MANIFEST is ignored by default (security fix); opt-in required via --external-decompressor-use-manifest
  • OpenTracing backends (jaeger, datadog) deprecated; migrate to --tracer opentelemetry before v25
  • VTOrc /api/replication-analysis endpoint and DiscoverInstanceTimings metric removed — update dashboards and scripts now
  • --grpc-send-session-in-streaming flag removed from VTGate; session is always sent in streaming responses
原文

Karmada

Orchestration & Management2026年4月30日

日本語 準備中Karmada v1.17.2 is a patch release fixing scheduler misrouting bugs, operator reconciliation failures, and a Job replica assignment error — plus an Alpine base image bump for security.

  • securityRebuild or pull updated images to get the Alpine 3.23.4 base

    The base image was bumped from Alpine 3.23.3 to 3.23.4. If you're running air-gapped or mirrored image setups, make sure to pull and mirror the new v1.17.2 images. Check Alpine's changelog for the specific CVEs addressed if your compliance process requires it.

  • breakingScheduler backoffQ misrouting may have masked real scheduling failures

    Bindings with insufficient cluster replicas were incorrectly queued in backoffQ instead of unschedulableBindings. This means your scheduler may have been retrying workloads on an exponential backoff schedule rather than surfacing them as unschedulable. After upgrading, expect some previously silent failures to become visible in unschedulableBindings — review any workloads that seemed stuck or slow to schedule.

  • enhancementUpgrade if you use karmada-operator with custom tolerations/affinity or multi-cluster Jobs

    Two high-impact fixes landed here: operator-managed deployments were silently ignoring tolerations and affinity configs, which could cause pods to land on unintended nodes. And Job completion counts were being assigned incorrectly across clusters, which could corrupt Job semantics in distributed workloads. Both are straightforward regressions worth patching immediately if either feature is in use.

主な変更 (6)
  • karmada-operator now correctly applies tolerations and affinity settings to karmada-aggregated-apiserver and karmada-search deployments
  • Fixed non-idempotent secret creation that caused operator init reconciliation failures on repeated runs
  • Scheduler no longer misroutes bindings with insufficient replicas to backoffQ — they now correctly land in unschedulableBindings
  • Schedule success events with ClusterAffinities now include proper cluster information
  • Job completions are now distributed correctly across clusters instead of being assigned to wrong replicas
  • Base Alpine image bumped from 3.23.3 to 3.23.4 to address security concerns
原文

Karmada

Orchestration & Management2026年4月30日

日本語 準備中Karmada v1.16.5 is a focused patch release fixing scheduler queue misrouting, Job replica assignment errors, and operator reconciliation failures, plus an Alpine base image bump.

  • securityAlpine 3.23.4 base image — rebuild and redeploy your Karmada components

    The Alpine bump from 3.23.3 to 3.23.4 addresses upstream security concerns. If you're running custom-built Karmada images or have image scanning in your pipeline, update your base images accordingly. The official images in this release already include the updated base.

  • breakingScheduler queue misrouting causes stalled workloads — patch immediately

    The backoffQ vs unschedulableBindings misrouting bug means workloads with insufficient cluster replicas may have been stuck in the wrong queue, causing unexpected scheduling delays or failures. If you've seen bindings that appear perpetually pending despite enough cluster capacity becoming available, this fix directly addresses that. Upgrade to v1.16.5 and check for any bindings that are stuck — they should reschedule automatically after the upgrade.

  • breakingJob completions were assigned to wrong clusters — review existing Job distributions

    The Job completion replica assignment bug could have led to incorrect work distribution across member clusters. Jobs that ran on this version may have had skewed completion counts per cluster. After upgrading, inspect any multi-cluster Jobs that were scheduled on v1.16.4 to verify their completion semantics were not affected in production.

主な変更 (5)
  • karmada-operator: Secret creation made idempotent, fixing init reconciliation failures on retry
  • karmada-scheduler: Bindings with insufficient cluster replicas now correctly land in unschedulableBindings queue instead of backoffQ
  • karmada-scheduler: Schedule success events now include cluster info when using ClusterAffinities
  • Job completions now assigned correctly per cluster instead of being misrouted across replicas
  • Base image updated from alpine:3.23.3 to alpine:3.23.4 for security fixes
原文

Karmada

Orchestration & Management2026年4月30日

日本語 準備中Karmada v1.15.8 is a targeted bug-fix patch addressing scheduler queue misrouting, missing cluster info in events, and an operator reconciliation failure. Alpine base image bumped for security.

  • securityRebuild and redeploy to pick up alpine:3.23.4 patches

    The alpine base image bump from 3.23.3 to 3.23.4 addresses unspecified security concerns. If you're running custom Karmada images built from the upstream base, rebuild against the new base. If you're using official images, pulling v1.15.8 is sufficient.

  • breakingScheduler queue misrouting can cause workloads to be stuck — patch immediately

    The backoffQ bug is particularly dangerous in production: when a binding hits insufficient replicas, it gets retried with exponential backoff instead of being placed in unschedulableBindings where it belongs. This means your workloads silently wait longer than expected before rescheduling. If you're running ClusterAffinities with replica constraints, upgrade to v1.15.8 — don't wait on this one.

  • enhancementOperator idempotency fix prevents init reconciliation crashes on restarts

    The non-idempotent secret creation in karmada-operator meant that if the operator restarted mid-initialization, reconciliation would fail. This is now fixed with an idempotent approach. If you've been seeing operator init failures after pod restarts or rolling updates, this patch resolves the root cause.

主な変更 (4)
  • karmada-operator: Fixed non-idempotent secret creation that caused init reconciliation failures on retry
  • karmada-scheduler: Schedule success events now include cluster information when using ClusterAffinities
  • karmada-scheduler: Bindings with insufficient cluster replicas now correctly land in unschedulableBindings queue instead of backoffQ
  • Base image updated from alpine:3.23.3 to alpine:3.23.4 to address security concerns
原文

containerd

Kubernetes Core2026年4月30日

日本語 準備中containerd API v1.11.0 ships a new shim bootstrap protocol, container filesystem copy transfer types, and sandbox spec field support — aligning with the containerd 2.3 runtime release.

  • securitygRPC updated from v1.59.0 to v1.79.3 — multiple CVE fixes included

    A 20-minor-version jump in gRPC covers a significant span of security and stability fixes. If your environment pins or vendors gRPC separately, reconcile your dependency tree against v1.79.3. The golang.org/x/* packages also moved forward across the board, so a full dependency audit is warranted before deploying this API version in production.

  • breakingSandbox API: Container field removed, update any sandbox metadata consumers

    The Container field has been dropped from sandbox metadata and replaced with a spec field. If you have tooling, controllers, or custom runtimes that read or write sandbox metadata directly, audit them now. This is an API-level change — anything compiled against the old proto definitions will break at runtime when targeting containerd 2.3.

  • breakingShim bootstrap protocol is now protobuf — custom shim implementations need updating

    The new shim bootstrap protocol switches from JSON to protobuf and uses enums instead of strings for capabilities and log levels. If you maintain a custom shim or vendor the containerd API, you must update your bootstrap handling before deploying containerd 2.3. Third-party shims (e.g., kata-containers, nydus) likely need corresponding releases — check their compatibility before upgrading.

主な変更 (6)
  • New shim bootstrap protocol introduced: uses protobuf (not JSON), enums for capabilities/log levels, and includes containerd version at shim launch
  • Shim socket directory now uses the configured state directory instead of a hardcoded path
  • Transfer API gains new types for container filesystem copy operations
  • Sandbox API updated: Container field removed, spec field added to sandbox metadata
  • EROFS native container image support extended with os.features field in platform proto
  • gRPC dependency jumped from v1.59.0 to v1.79.3; protobuf toolchain migrated from protobuild to buf
原文

KServe

AI & ML2026年4月29日

日本語 準備中KServe v0.18.0 is a large release dominated by LLMInferenceService (llmisvc) maturation, two CVE fixes, and multi-node inference groundwork—teams running LLM workloads should review carefully before upgrading.

  • securityApply immediately: three CVE fixes in this release

    CVE-2026-32597 (PyJWT critical header bypass), CVE-2026-33186 (gRPC authorization bypass), and CVE-2026-30922 (pyasn1 DoS) are all patched here. If you're running KServe with gRPC inference endpoints or Python-based runtimes exposed externally, these are not optional. Upgrade to v0.18.0 or apply the patches to your current version. The gRPC bypass in particular could allow unauthenticated requests to reach protected inference endpoints.

  • breakingPYTHONPATH is now blocked in webhooks—audit your ServingRuntimes

    A new webhook validation blocks PYTHONPATH from being set in InferenceService or ServingRuntime specs. If any of your custom ServingRuntimes or ISVCs set PYTHONPATH (a common pattern for custom Python module paths), they will be rejected at admission after this upgrade. Audit all your ServingRuntime and ISVC manifests before upgrading and remove or replace PYTHONPATH usage.

  • breakingHelm chart renamed to 'kserve-resources'—update your Helm releases

    The KServe Helm chart name changed from 'kserve' to 'kserve-resources'. If you manage KServe via Helm, a naive upgrade will not find the old release name. Plan a migration: either rename the existing Helm release or uninstall/reinstall. CI pipelines, GitOps configs, and any tooling referencing the chart name need updating before you run the upgrade.

  • enhancementLLMInferenceService autoscaling is production-ready—evaluate for LLM workloads

    v0.18.0 ships KEDA/HPA and WVA-based autoscaling for LLMInferenceService, plus LWS as an autoscaling target for multi-node workloads. If you're running vLLM-backed inference at scale and hitting manual scaling pain, now is a good time to test llmisvc autoscaling in staging. The WVA dependency was bumped to v0.6.0-rc3, so treat it as near-stable but not fully GA.

主な変更 (5)
  • Two CVEs patched: PyJWT critical-header validation (CVE-2026-32597), gRPC authorization bypass (CVE-2026-33186), and pyasn1 DoS (CVE-2026-30922)—security fixes affect Python serving runtimes and gRPC paths
  • LLMInferenceService gains autoscaling via KEDA/HPA/WVA, LWS multi-node autoscaling target, TLS support, storage migration, and InferencePool readiness evaluation
  • PYTHONPATH env var is now blocked in ISVC and ServingRuntime webhooks—any serving runtime injecting PYTHONPATH will fail admission
  • Namespace-scoped ModelCache added, with download jobs running in the job namespace
  • Helm chart renamed from 'kserve' to 'kserve-resources'; vLLM bumped to 0.19.0, MLServer to 1.7.1
原文

Kyverno

Security2026年4月29日

日本語 準備中Kyverno 1.18 hardens HTTP context security with blocklist enforcement and scoped tokens, fixes multiple image verification bugs including a silent bypass, and expands CLI policy testing coverage.

  • securityAudit HTTP context policies before upgrading — blocklist is now enforced

    Any policy using HTTP context loading will now be subject to a configurable blocklist. Calls that previously succeeded might be blocked after upgrade. Before rolling out 1.18, inventory all policies with HTTP context entries, verify their target URLs are not on the default blocklist, and configure FLAG_HTTP_BLOCKLIST overrides where needed. Also check that scoped token authorization doesn't break policies relying on broader token access. Test in a non-production cluster first.

  • securityImage verification silent bypass is patched — verify your policies are actually enforcing

    A bug in processResourceWithPatches caused it to return nil on patch failure, which silently skipped image verification. If you've been running image verification policies and assumed they were enforcing, run a retroactive compliance scan after upgrading to confirm enforcement was working as expected. Also check the CVE fixes: CVE-2026-32280 (intermediate cert limiting) and CVE-2026-32283 (Go toolchain upgrade) are included in this release and warrant upgrading promptly.

  • enhancementUse successEventActions to reduce event spam in large clusters

    High-traffic clusters with broad Kyverno policies generate enormous volumes of success events, which can overwhelm etcd and make event streams useless. The new successEventActions ConfigMap parameter lets you filter exactly which success events get emitted. Add this to your Kyverno ConfigMap after upgrading and tune it based on which policy actions actually need visibility. Pairs well with the existing omitEvents setting — watch out for the new warning if you configure conflicting values.

主な変更 (5)
  • HTTP context calls now enforce a configurable blocklist and use scoped tokens — policies making external HTTP calls need review against new security constraints
  • imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets, removing a long-standing limitation for multi-tenant image verification setups
  • Silent image verification bypass fixed: processResourceWithPatches was returning nil on patch failure, allowing images to slip through unverified
  • successEventActions ConfigMap parameter lets you filter which success events Kyverno emits, useful for high-volume clusters drowning in event noise
  • CLI now supports cleanup policies, HTTP/Envoy authz policies, and mutateExisting in kyverno apply and kyverno test — CI pipelines can finally test these policy types offline
原文

Microcks

CI/CD & App Delivery2026年4月29日

日本語 準備中Microcks 1.14.0 adds Kafka request-reply for async mocking and expands Callback/Sync-to-Async support across REST, gRPC, and the UI. A bug fix prevents HTTP method mutation on mocked operations.

  • securityRebuild custom images on updated UBI9 base

    The base image bumps to UBI9 9.7-1776833838. If you build custom Microcks images on top of the official one, rebuild and re-test after upgrading to pick up the upstream OS patches included in this UBI update.

  • breakingVerify REST mock routing after operation method fix

    The fix for issue #2028 prevents the operation HTTP method from being overridden — a subtle bug that could cause mocks to respond incorrectly if the method was being mutated. Verify any existing REST mocks that rely on method-specific routing to confirm they behave as expected after upgrade.

  • enhancementAdopt Kafka request-reply for async testing

    Kafka async mocks now support request-reply semantics. If your team uses Microcks to mock event-driven services over Kafka, this unlocks proper two-way interaction testing without external tooling. Review the updated API for Callback and Sync-to-Async support alongside the new triggers UI before migrating existing Kafka mock setups.

主な変更 (5)
  • Kafka async mocks now support request-reply pattern (previously only fire-and-forget was possible)
  • Callback and Sync-to-Async API updated; triggers info now visible in UI and usable as a second artifact
  • gRPC mocks gain triggers support
  • Operation HTTP method is no longer overridable (bug fix, #2028)
  • UBI9 base image updated to 9.7-1776833838; Angular bumped to 19.2.20; context propagation added with X-Trace-Id header support
原文

Knative

Orchestration & Management2026年4月28日

日本語 準備中Knative v1.22.0 completes the EndpointSlices migration, consolidates TLS configuration across all components, and adds new autoscaling observability metrics.

  • enhancementScrape the new queue/active request metrics for autoscaling tuning

    kn.revision.request.queued and kn.revision.request.active are now available from queue-proxy. If you're tuning concurrency targets or debugging cold-start behavior, add these to your Prometheus scrape config and dashboards. They give you direct visibility into the queue depth per revision, which was previously only inferable from aggregate metrics.

  • enhancementVerify RBAC if running with minimal cluster permissions

    The ClusterRole now includes endpointslices/restricted permissions to support the EndpointSlices migration. If your cluster uses OPA, Kyverno, or any policy engine that audits ClusterRole changes, review and approve the updated role during upgrade. Missing this permission would break autoscaler stat forwarding.

  • enhancementGraceful WebSocket shutdown reduces in-flight request drops during scale-down

    The queue-proxy now shuts down WebSocket connections gracefully. If your services handle WebSocket traffic, this directly reduces dropped connections during rolling updates or scale-to-zero events. No configuration change needed — the improvement is automatic on upgrade.

主な変更 (5)
  • Autoscaler stat forwarder and e2e tests fully migrated to EndpointSlices — Endpoints API usage continues to shrink
  • TLS configuration unified across reconciler, activator, and queue-proxy using knative.dev/pkg/network/tls
  • Two new metrics added: kn.revision.request.queued and kn.revision.request.active for better autoscaling visibility
  • Autoscaler now uses the /scale subresource for replica count updates instead of patching deployments directly
  • Deployment reconciliation optimized — updates only trigger on actual label, annotation, or spec changes
原文

Rook

Storage & Data2026年4月28日

日本語 準備中Rook v1.19.5 patches several operator bugs including a CSI priority class swap, OSD CRUSH device class fix, and more reliable mon drain behavior.

  • breakingAudit CSI priority classes after upgrade — they were swapped

    The provisioner and plugin priority class names were assigned to the wrong CSI components. If you set custom values for these fields, verify that your workloads are getting the priority you intended post-upgrade. Clusters running latency-sensitive storage I/O with tiered priority classes are most at risk. Check the assigned priority classes on CSI pods after the upgrade and adjust your Helm values if needed.

  • enhancementUpgrade if you've hit silent CRUSH device class failures on OSD re-discovery

    When OSDs were re-discovered (e.g., after node replacement or OSD recreation), the CRUSH device class wasn't being reapplied. This caused OSDs to land in the wrong CRUSH bucket, potentially breaking data placement rules. If you use device classes (hdd/ssd/nvme) for pool or rule targeting, verify your OSD tree after upgrading to confirm correct class assignments.

  • enhancementSet ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS via Helm now

    Previously this required patching the operator deployment directly. With this release it's a first-class Helm value. If you've been working around this with post-install patches or custom operator manifests, clean those up and move the setting into your values file to avoid drift.

主な変更 (5)
  • CSI: provisionerPriorityClassName and pluginPriorityClassName were swapped — clusters with custom priority classes have been running with incorrect assignments until now
  • OSD: CRUSH device class no longer silently ignored during OSD re-discovery, fixing placement policy enforcement
  • MON: drain prevention logic improved when monitors are already down, reducing split-brain risk during maintenance
  • Helm: ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS is now configurable via chart values instead of requiring manual operator env overrides
  • Security: rook-ceph-nvmeof service account granted proper SCC permissions; CSI resources now carry Helm ownership annotations
原文

OpenTelemetry

Observability2026年4月28日

日本語 準備中v0.151.0 has one API-level breaking change in the OTLP receiver config struct and changes the default behavior of the builder's go.mod generation. Dual-stack gRPC connection fixes and a pprofile data corruption fix are the most operationally relevant improvements.

  • breakingUpdate OTLP receiver config field access in custom collectors

    The OTLP receiver's Config.Protocols is now a named field — any code accessing cfg.GRPC or cfg.HTTP directly will fail to compile. Update those references to cfg.Protocols.GRPC and cfg.Protocols.HTTP before upgrading collector builds that embed or extend the OTLP receiver.

  • breakingCheck generated collector go.mod if you commit builder output

    cmd/builder now writes relative paths in Go module replace statements by default. For teams that build the collector, commit the generated source, and run it on multiple machines, this is an improvement. If you have tooling that depends on absolute paths (e.g., scripts parsing go.mod), set dist::use_absolute_replace_paths: true to preserve the old behavior while you migrate.

  • enhancementFix dual-stack DNS connection issues with passthrough gRPC resolver

    Teams running OTLP gRPC exporters in dual-stack DNS environments have reported connection issues since the grpc.NewClient migration. You can now work around this by setting the endpoint to passthrough:///host:port in your exporter config. If you've seen intermittent connection failures in IPv4/IPv6 mixed environments, try this first.

主な変更 (6)
  • cmd/builder: generated go.mod now uses relative replace paths by default; use dist::use_absolute_replace_paths to revert
  • receiver/otlp API: cfg.GRPC and cfg.HTTP must be accessed via cfg.Protocols.GRPC and cfg.Protocols.HTTP
  • configgrpc: passthrough:/// resolver scheme now accepted in endpoint field, fixing dual-stack DNS issues
  • pkg/pprofile: data corruption bug fixed in resource/scope attributes after marshal-unmarshal-merge round-trips
  • pkg/service: non-string resource attributes in telemetry config now return an error instead of panicking
  • framedSnappy feature gate in confighttp is now stable (no longer behind a flag)
原文

Dapr

Orchestration & Management2026年4月28日

日本語 準備中Single targeted bug fix: messages arriving during graceful shutdown or pub/sub component hot-reload no longer get silently routed to dead-letter queues.

  • breakingAudit your dead-letter queues for silently lost messages

    If you run pub/sub with dead-letter queues configured, messages diverted there during past rolling deployments or restarts were never retried — they just sat in the DLQ. Before upgrading, inspect those queues for messages that should have been processed. After upgrading to 1.17.6, plan to replay or reprocess any legitimate messages found there. Going forward, monitor DLQ depth during deployments as a health signal; a spike should now indicate actual processing failures, not shutdown timing artifacts.

  • enhancementUpgrade if you do rolling deployments or frequent restarts

    Any team doing Kubernetes rolling updates or frequent pod restarts with pub/sub workloads should treat this as a high-priority patch. The previous behavior was silent — no errors surfaced to your app, messages just disappeared into DLQs. The fix is low-risk (a targeted behavior change in the shutdown path), so upgrading from any 1.17.x release is straightforward.

主な変更 (4)
  • Messages arriving while a subscription is closing are now held (blocked) instead of immediately NACKed, letting the broker redeliver them to healthy consumers
  • Fix applies to all subscription types: declarative, programmatic (HTTP and gRPC), and streaming
  • Affects any scenario triggering graceful shutdown — rolling deployments, restarts, and pub/sub component hot-reloads
  • In-flight messages already being processed continue to complete normally before the subscription fully closes
原文

OpenCost

Observability2026年4月28日

日本語 準備中v1.120.1 is a patch release focused on carbon cost fixes, AWS Spot pricing performance, memory optimization, and a security-relevant MCP server default change.

  • breakingCheck if MCP server was relied upon — it's now off by default

    The MCP server flipped from opt-out to opt-in. If any tooling or integrations depended on the MCP server being active without explicit configuration, they will silently stop working after this upgrade. Before deploying, audit whether MCP_SERVER_ENABLED needs to be explicitly set to true in your environment config.

  • enhancementAWS Spot users: Spot Price History caching reduces API pressure

    If you run workloads on AWS Spot instances, OpenCost was previously hitting the Spot Price History API more aggressively. The new caching layer cuts down on AWS API calls, which matters both for rate limiting and for cost attribution latency. No action required, but worth validating your Spot cost data accuracy after upgrading.

  • enhancementCarbon cost data was wrong — upgrade if you track emissions

    The carbon cost fixes address incorrect provider detection and broken fallback logic, meaning prior carbon cost figures may have been inaccurate. If you surface carbon/emissions data to teams or dashboards, re-baseline your metrics post-upgrade rather than comparing historical data across this version boundary.

主な変更 (5)
  • MCP server now defaults to disabled (MCP_SERVER_ENABLED=false) — previously it was opt-out, now it's opt-in
  • Carbon cost lookups fixed: provider detection, fallback logic, and network cost support corrected
  • AWS Spot Price History API now has a caching layer, reducing API call volume and latency
  • Memory usage tweaks in a second pass of optimizations, continuing work from prior releases
  • Local storage cost queries replaced with direct math, removing Prometheus query dependency for that path
原文

Strimzi

Networking & Messaging2026年4月28日

日本語 準備中Strimzi 1.0.0 drops all pre-v1 CRD APIs — this is a hard requirement before upgrading. Also adds Kafka 4.1.2 support, TLS on the HTTP Bridge, and environment-variable-based rack awareness.

  • breakingConvert all CRDs to v1 API before upgrading — no exceptions

    Strimzi 1.0.0 flat-out removes v1beta2, v1beta1, and v1alpha1. If any of your custom resources still use those API versions, the operator will not reconcile them after upgrade. Run the CRD conversion procedure documented by Strimzi before touching anything else. This applies to KafkaTopic and KafkaUser resources too, which had their own v1alpha1/v1beta1 versions. Skipping this step will break your cluster management silently.

  • enhancementSwitch rack awareness to environment-variable type to drop ClusterRoleBindings

    The new type: environment-variable rack awareness reads topology from env vars rather than querying the Kubernetes API, which means it no longer needs ClusterRoleBindings. If you're running in environments with tight RBAC policies or multi-tenant clusters, this is worth migrating to. Review your Kafka CR's rack configuration and update the type field — no other infrastructure changes needed.

  • enhancementUseConnectBuildWithBuildah is now on by default — verify your Connect build pipelines

    This feature gate moving to beta means Buildah is now the default build tool for Kafka Connect connector builds. If you've been relying on Kaniko-specific behavior or have custom build configurations, test your Connect builds in a non-production environment after upgrading. The Buildah image is pinned in the release, so the toolchain is stable, but behavioral differences in layer caching or registry auth handling could surface.

主な変更 (5)
  • v1beta2, v1beta1, and v1alpha1 CRD APIs removed — only v1 API is supported going forward
  • Kafka 4.1.2 added; Kafka 4.2.0 image also included in this release
  • TLS/SSL support added to the HTTP Bridge
  • New environment-variable rack awareness type eliminates the need for ClusterRoleBindings
  • UseConnectBuildWithBuildah feature gate promoted to beta and enabled by default
原文

SPIRE

Security2026年4月27日

日本語 準備中SPIRE v1.14.6 patches two critical security vulnerabilities in node attestation: an EC2 instance impersonation flaw and a race condition in join token validation.

  • securityUpgrade immediately if using aws_iid node attestation

    The aws_iid bug is severe: any EC2 instance under attacker control could forge the identity of any other EC2 instance during attestation, bypassing all downstream SPIFFE ID assignment and workload authorization. If you use aws_iid attestation in any environment, treat this as a critical breach risk and upgrade to v1.14.6 now. After upgrading, audit your node attestation logs for anomalous registrations — specifically instances claiming identities inconsistent with their actual AWS metadata.

  • securityJoin token race condition allows double-registration — patch now

    The TOCTOU flaw means two concurrent requests with the same join token could both complete attestation successfully, resulting in two agents registered under one token. If join tokens are distributed in automated pipelines or ephemeral environments, an attacker who intercepts a token could race a legitimate agent to claim it. Upgrade to v1.14.6, then review your join token issuance and revocation policies. Consider switching to shorter-lived tokens or alternative attestation methods like x509pop for sensitive workloads.

主な変更 (3)
  • Fixed aws_iid attestor: PKCS7 signature was verified against embedded content, but identity was parsed from an attacker-controlled field — allowing any EC2 instance to impersonate any other.
  • Fixed join token TOCTOU race: concurrent attestations with the same token could both succeed due to silent no-op deletes. Now uses row-locked read-modify-write transactions.
  • Both vulnerabilities reported by Tianshuo Han.
原文

SPIRE

Security2026年4月27日

日本語 準備中v1.13.6 patches two serious security vulnerabilities in SPIRE: an EC2 instance impersonation flaw in the AWS IID attestor and a race condition in join token handling. Upgrade immediately.

  • securityUpgrade now if you use AWS IID node attestation

    The AWS IID attestor vulnerability is severe: any attacker controlling an EC2 instance could forge the identity of any other EC2 instance in your environment during node attestation. All downstream RBAC, SVID issuance, and workload identity decisions would operate on the forged identity. If you run SPIRE with the aws_iid server plugin, treat this as a critical incident — patch to v1.13.6 before doing anything else. Review your SPIRE server logs for unexpected node attestation events from EC2 instances, especially cross-account or cross-region patterns.

  • securityAudit join token usage if you allow concurrent agent bootstrapping

    The TOCTOU bug in join token handling means two agents racing to attest with the same token could both succeed — violating the one-time-use guarantee. In practice this could allow unauthorized agents to join your trust domain. After upgrading, rotate any join tokens that may have been used during periods of concurrent agent bootstrapping. If you use join tokens in automation (e.g., init containers, CI pipelines), review whether parallel execution could have triggered this race.

主な変更 (3)
  • Fixed AWS IID attestor bug where PKCS7 signature was verified against embedded content but identity was parsed from an attacker-controlled field — enabling full EC2 impersonation during node attestation
  • Fixed TOCTOU race in join token attestation: concurrent requests with the same token could both succeed; now enforced via read-modify-write transaction with row locking
  • Both vulnerabilities reported by Tianshuo Han; no new features or other changes in this release
原文

NATS

Networking & Messaging2026年4月27日

日本語 準備中NATS v2.12.8 is a substantial bug-fix release targeting JetStream stability — particularly clustered stream/consumer reliability, Raft edge cases, and a bearer JWT disclosure vulnerability in the monitoring API.

  • securityPatch immediately: /connz was leaking bearer JWTs

    Any deployment using JWT-based auth with the monitoring endpoint exposed (even internally) was potentially leaking bearer tokens in /connz responses. Rotate any JWTs that may have been exposed, audit monitoring endpoint access logs, and upgrade to v2.12.8 now. If you can't upgrade immediately, restrict /connz access via firewall or NATS monitoring auth.

  • securityCLI argument secrets now redacted in monitoring

    Route and cluster URLs passed as CLI arguments (which often contain credentials) were previously visible in monitoring output. Upgrade to v2.12.8 and review any monitoring dashboards or log aggregation pipelines that may have captured this data historically.

  • enhancementJetStream cluster operators: test your scaling and recovery paths

    This release fixes several nasty edge cases — stream leader catch-up from snapshots, Raft commit index resets on term mismatches, in-flight assignment visibility for stream/consumer info, and the 'last sequence mismatch' error from failed proposals. If you've been seeing any of these intermittent errors in clustered JetStream, v2.12.8 is a high-priority upgrade. After upgrading, monitor for reduced error rates in stream info and consumer info endpoints during scaling operations.

主な変更 (5)
  • Bearer JWTs no longer exposed via the /connz monitoring endpoint — direct security fix requiring immediate attention
  • Route and cluster URL secrets are now redacted when passed as CLI arguments
  • Multiple JetStream panic fixes: consumer pause endpoint, scaling after stream update, and legacy Raft snapshot recovery
  • Stream sourcing duplicate message bug resolved for leafnode reconnection and proposal error scenarios
  • Consumer starting sequence scan is now async, removing a metalayer pause that could cause latency spikes
原文

NATS

Networking & Messaging2026年4月27日

日本語 準備中NATS v2.11.17 is a security and stability patch addressing JWT bearer token exposure in monitoring endpoints, credential redaction gaps, and several crash/correctness bugs.

  • securityPatch immediately: /connz was leaking bearer JWTs

    Any operator exposing the NATS monitoring port (default 8222) to internal or external networks should treat this as urgent. Bearer tokens visible in /connz could be harvested and replayed. Rotate any JWTs that may have been exposed, audit who had access to your monitoring endpoints, and upgrade to 2.11.17 now. If you cannot upgrade immediately, firewall the monitoring port.

  • securityCLI-embedded secrets were visible in monitoring output

    If your NATS deployment passes route or cluster URLs with embedded credentials as command-line arguments, those secrets were previously visible in monitoring output. Audit your monitoring data for any historical exposure, rotate affected credentials, and upgrade. Long-term, prefer config files or environment-based secret injection over CLI arguments.

  • breakingRepeated CONNECT behavior change may affect edge-case clients

    The fix for repeated CONNECT messages clearing subscriptions changes previously tolerated (but incorrect) behavior. Custom clients or unusual connection patterns that send multiple CONNECT messages on the same connection could see subscriptions unexpectedly dropped. Audit any non-standard client code before upgrading in production.

主な変更 (5)
  • Bearer JWTs no longer exposed via the /connz monitoring endpoint — this was a credential leak
  • Route and cluster URL secrets passed as CLI args are now redacted in monitoring output
  • Repeated CONNECT messages on a connection now correctly clear subscriptions, preventing stale state
  • JWT claims spanning midnight now validate correctly — edge case that could silently break auth
  • Fixed a panic during leafnode compression negotiation and a header mutation bug affecting message buffers
原文

Prometheus

Observability2026年4月27日

日本語 準備中Prometheus v3.11.3 patches three security vulnerabilities: a credential leak, a DoS vector via malformed snappy payloads, and a stored XSS in the classic UI.

  • securityRotate AzureAD client secrets if /-/config was accessible

    If you use AzureAD remote write and the /-/config endpoint was reachable by anyone other than trusted admins, treat your client_secret as compromised. Rotate it in Azure AD immediately, then upgrade to v3.11.3. Also audit who has access to that endpoint — it should never be public-facing.

  • securityUpgrade immediately if remote-read is enabled and exposed

    The snappy decode vulnerability lets an attacker send a crafted request with an inflated declared length, potentially exhausting memory. If your Prometheus remote-read endpoint is reachable from outside your trust boundary, this is a real DoS risk. Upgrade to v3.11.3 as soon as possible — there's no config-level workaround short of disabling remote-read entirely.

  • securityAssess XSS exposure if you still run the classic UI

    The stored XSS in the old UI heatmap affects any deployment where users can influence label values (e.g., via instrumented applications) and other users view those charts. If you've already migrated to the new UI, you're not affected. If you haven't, upgrade now — or at minimum restrict UI access to trusted users until you do.

主な変更 (3)
  • CVE-2026-42151: AzureAD OAuth client_secret was exposed in plaintext through the /-/config endpoint
  • CVE-2026-42154: Remote-read now rejects snappy-compressed requests where declared decoded length exceeds the configured limit, closing a potential DoS vector
  • Stored XSS fixed in the old/classic UI heatmap chart — unescaped 'le' label values in tick labels were the injection point
原文

OpenFGA

Security2026年4月27日

日本語 準備中v1.15.0 brings latency improvements for complex authorization models via edge pruning, fixes a cache bug in the experimental weighted graph checker, and patches Go stdlib CVEs by upgrading to Go 1.26.2.

  • securityUpdate immediately to patch Go stdlib vulnerabilities

    This release ships Go 1.26.2, which addresses vulnerabilities in the Go standard library. If you run OpenFGA as a managed binary or container, pull the new image now. If you build from source, ensure your toolchain matches. Don't wait on this — stdlib vulns can affect TLS, HTTP parsing, and crypto paths that OpenFGA relies on.

  • enhancementRe-benchmark list objects performance on complex models

    Edge pruning in the list objects pipeline cuts unnecessary graph traversal. If your authorization model has deep or wide relationship graphs, you should see reduced p99 latency on ListObjects calls. Run your existing load tests against v1.15.0 and compare — this is a free win that requires no config changes.

  • enhancementRe-evaluate weighted_graph_check cache behavior if you hit cold-start issues

    The experimental weighted_graph_check feature was silently skipping its cache on cold start or when the cache controller was disabled, which could explain unexpected latency spikes early in pod lifecycle. The fix aligns behavior with the documented contract: zero invalidation time means use the cache. If you're using this experimental feature, test it again — behavior will differ from what you may have measured before.

主な変更 (3)
  • Edge pruning added to list objects pipeline — measurable latency reduction for large, complex authorization models
  • Fixed weighted_graph_check cache being incorrectly bypassed when cache controller returns zero invalidation time (cold start or disabled state)
  • Go toolchain bumped to 1.26.2 to address Go standard library security vulnerabilities
原文

Prometheus

Observability2026年4月27日

日本語 準備中Prometheus v3.5.3 is a security-only release patching four vulnerabilities: credential exposure, two snappy decompression bombs, and a stored XSS in the legacy UI.

  • securityRotate AzureAD client_secret immediately if /-/config was exposed

    Any Prometheus instance using AzureAD remote write had its OAuth client_secret visible in plaintext at the /-/config endpoint. If that endpoint was reachable by untrusted users or scraped by monitoring tools, treat the secret as compromised. Rotate it in Azure AD, update your Prometheus config, and then upgrade to v3.5.3. After upgrading, restrict /-/config access via --web.enable-admin-api controls or a reverse proxy allowlist.

  • securityUpgrade now if you accept remote-read or remote-write from untrusted sources

    Both remote-read and remote-write endpoints were vulnerable to decompression bomb attacks — a crafted snappy request with an inflated declared size could exhaust memory. If your Prometheus is internet-facing or accepts data from multiple tenants, this is a denial-of-service risk. Upgrade to v3.5.3 immediately. There is no config-level workaround; the fix is in the code.

  • securityPatch stored XSS if anyone uses the legacy UI with untrusted label values

    The old UI heatmap rendered 'le' label values without escaping, allowing stored XSS. If your users browse the legacy UI and your metrics include 'le' labels sourced from external or user-controlled systems, malicious JavaScript could execute in their browsers. Upgrade to v3.5.3. As a short-term measure, direct users to the new UI instead.

主な変更 (4)
  • CVE-2026-42151: AzureAD OAuth client_secret leaked in plaintext via /-/config endpoint
  • CVE-2026-42154: Remote-read snappy decompression bomb — oversized declared decode length now rejected
  • Remote-write snappy decompression bomb fixed with same decode limit enforcement (no separate CVE listed)
  • Stored XSS via unescaped 'le' label values in legacy UI heatmap tick labels (GHSA-fw8g-cg8f-9j28)
原文

Flatcar Container Linux

Provisioning & Runtime2026年4月27日

日本語 準備中A large security maintenance release for the LTS channel: kernel jumps from 6.6.107 to 6.6.127 and closes hundreds of CVEs accumulated since the last LTS point release, plus a ca-certificates update and a local dev fix for arm64 Macs.

  • securityApply the kernel update promptly — large CVE backlog closed

    This release rolls up roughly 20 kernel point releases (6.6.107 through 6.6.127), closing several hundred CVEs accumulated over that span. Treat this as a mandatory patch cycle rather than a routine bump — teams on 4081.3.6 or earlier have been running with months of unpatched kernel CVEs, some of which affect networking, filesystems, and memory management subsystems commonly hit in container workloads. Roll this out to fleets on the LTS channel as soon as your update ring allows.

  • enhancementVerify TLS trust chains after ca-certificates 3.116→3.122 jump

    ca-certificates jumped from 3.116 to 3.122, spanning multiple NSS releases. If you pin or vendor CA bundles separately from the OS image, check for any removed or distrusted root certificates in that range that could break TLS validation for internal services or older endpoints.

  • enhancementFaster local VM testing on Apple Silicon

    The QEMU launcher script now enables HVF acceleration on arm64 Macs (Flatcar#1901). If you develop or test Flatcar images locally on Apple Silicon, update your local scripts/tooling to pick this up — VM boot and test cycles should be noticeably faster.

主な変更 (5)
  • Linux kernel updated from 6.6.107 to 6.6.127, bundling ~20 stable kernel releases
  • Several hundred CVEs patched in this single release, spanning 2023–2026 disclosures
  • ca-certificates updated from 3.116 to 3.122 (multiple NSS releases bundled)
  • QEMU launcher script fix adds HVF acceleration for arm64 Macs, improving local VM performance
  • No new features or config-breaking changes — this is a maintenance/security rollup
原文

Flatcar Container Linux

Provisioning & Runtime2026年4月27日

日本語 準備中Flatcar stable-4593.2.0 is a large security + infrastructure release: 150+ kernel CVEs patched, openssh/openssl/curl/intel-microcode updated, and significant initrd/partition layout changes that need attention before upgrading.

  • securityMass CVE remediation across kernel and userspace — update now

    Linux kernel patches cover 150+ CVEs, and userspace components (openssh 10.2_p1, openssl 3.5.4, curl 8.16.0, intel-microcode, gnupg, pam) each carry their own CVE fixes. This is a large security catch-up from Stable 4459.2.4. Any Flatcar node on stable should be updated promptly — the auto-update mechanism will handle it, but verify nodes are actually cycling through updates if you have update pauses configured.

  • breakingsshd now uses OpenSSH upstream defaults including post-quantum key exchange

    sshd_config no longer hard-codes Ciphers, MACs, and KexAlgorithms; OpenSSH upstream defaults now apply, which includes post-quantum key exchange. If your environment requires specific legacy algorithms (e.g., for compliance tooling or older SSH clients), add drop-in config to /etc/ssh/sshd_config.d/ before upgrading. Test SSH connectivity after the update in a non-prod node first.

  • breakingPartition layout changed; kernel module availability in first-stage initrd is reduced

    Partition sizes have grown: /boot to 1 GB, /usr to 2 GB, /oem to 1 GB. Existing nodes can still update, but new disk images will use the larger layout. If you have tight disk quotas, pre-provision or verify disk images have room. Also, the kernel+initrd on /boot is now half the size due to a two-stage initrd split — if any required drivers were only in the first-stage initrd, you may see boot issues. Report regressions to the Flatcar team immediately.

主な変更 (6)
  • Linux kernel updated to 6.12.81 with 150+ CVEs patched across the kernel alone
  • openssh updated to 10.2_p1 with sshd now using upstream defaults — post-quantum key exchange enabled by default, legacy cipher config removed
  • intel-microcode updated with 14 CVE fixes covering side-channel and information-disclosure issues on Intel hardware
  • Two-stage initrd introduced: first stage is minimal (smaller /boot footprint), full initrd runs second; custom kernel module builds now use upstream kernel method instead of Ubuntu-style approach
  • Partition sizes increased for /boot, /usr, and /oem; Ignition OEM config loading and PXE OEM customization fixed after earlier initrd rework broke them
  • SSSD/LDAP authentication restored — PAM sssd support and LDB modules were missing after a prior Samba update
原文

Cortex

Observability2026年4月27日

日本語 準備中Cortex v1.21.0 graduates several experimental features to stable, fixes multiple PRW2 data corruption and panic bugs, and introduces a new Parquet mode for Store Gateway alongside an Overrides API.

  • breakingAudit and update renamed flags before upgrading

    Several flags were renamed: -experimental.ruler.enable-api → -ruler.enable-api, -experimental.alertmanager.enable-api → -alertmanager.enable-api, -distributor.otlp.enable-type-and-unit-labels is now a no-op (consolidated into -distributor.enable-type-and-unit-labels), and parquet cache flags/configs dropped 'queryable' from their names. The users-scanner cleanup-interval became update-interval. Old flags are deprecated but not removed yet — audit your config files and Helm values now, before they disappear in a future release.

  • breakingPRW2 data corruption and panic fixes require validation of existing pipelines

    Three separate bugs in the Remote Write V2 handler were fixed: shallow copying of Samples/Histograms caused data corruption, dirty sync.Pool reuse caused index-out-of-range panics, and Symbols backing array wasn't cleared on pool return causing memory leaks. If you're using PRW2, treat this upgrade as mandatory. Validate your ingestion pipeline after upgrading and check that downstream metrics are intact.

  • enhancementBucket index is now on by default — verify storage permissions

    The bucket index is enabled by default in this release. If your object storage IAM policies restrict list operations or your Cortex deployment had bucket index disabled intentionally, verify that the bucket index can be written and read correctly post-upgrade. Cortex will generate and maintain the index automatically, but storage permission errors will surface as query failures rather than obvious configuration errors.

主な変更 (5)
  • Bucket index enabled by default — disabling it in production is explicitly unsupported
  • Multiple flag and config renames: ruler, alertmanager, users-scanner, and parquet cache config keys have changed
  • PRW2 bugs fixed: data corruption from shallow copying Samples/Histograms, index-out-of-range panics, and memory leaks in sync.Pool reuse
  • New Overrides API module for managing tenant limits via API; old module renamed to overrides-configs
  • Alertmanager upgraded to v0.31.1 with IncidentIO and Mattermost integrations; config disappearance bug on ring unavailability fixed
原文

wasmCloud

Orchestration & Management2026年4月24日

日本語 準備中Patch release upgrading to Wasmtime 44 and fixing a pooling allocator crash, plus new glibc builds for GPU workloads on Linux.

  • securityUpgrade if you hit pooling allocator crashes — the fix prevents silent failures

    The pooling allocator was being enabled without checking whether the host hardware actually supports it, which could cause runtime crashes or unpredictable memory behavior. If you've seen wash-runtime instability on certain host types, this fix directly addresses that. Upgrade and monitor memory allocation behavior post-deploy.

  • breakingTest Wasmtime 44 upgrade in staging before rolling to production

    Wasmtime 44 is a major version bump for the underlying runtime. While wasmCloud wraps it, Wasmtime releases frequently carry behavior changes in memory handling, WASI interfaces, or component model semantics. Validate your component workloads in a non-production environment before upgrading clusters.

  • enhancementGPU workloads on Linux now have proper glibc builds — start testing if relevant

    If you're running or planning wasmCloud workloads that touch GPU features on Linux, the new glibc builds resolve compatibility issues with standard Linux distributions that expect dynamically linked runtimes. Pull the new artifacts and validate against your target GPU host environment.

主な変更 (4)
  • Wasmtime runtime upgraded to version 44
  • Pooling allocator is now probed for hardware support before being enabled, preventing crashes on unsupported systems
  • New glibc-linked builds added for Linux systems requiring GPU feature support
  • Minor patch with no API or configuration breaking changes
原文

KubeVirt

Orchestration & Management2026年4月24日

日本語 準備中KubeVirt v1.7.3 is a focused patch release fixing 11 bugs across live migration, ARM64/s390x guest support, VMExport, and virt-handler stability.

  • breakingBackend storage volume name has changed — check existing VMs

    VMs using backend storage volumes will now report the volume name as 'persistent-state-for-this-vm' instead of a name derived from the VM name. If you have monitoring, automation, or tooling that references the old volume name pattern, update those references before upgrading. Verify existing VMs with backend storage in your environment to understand impact before rolling out v1.7.3.

  • enhancementUpgrade if you run ARM64 or s390x guests, or use decentralized live migration

    Three targeted fixes land for non-x86 architectures: ARM64 SMBIOS visibility and s390x PCIe controller errors are both resolved. Separately, decentralized live migration now correctly reports success and supports Windows VMs requiring Hyper-V enlightenments. If any of these scenarios apply to your cluster, this patch is worth prioritizing over staying on v1.7.2.

  • enhancementvirt-handler socket recovery is now automatic — no more manual pod restarts

    Two separate fixes address domain-notify server crashes and socket deletion. Previously, a deleted or crashed notify socket would leave virt-handler in a broken state requiring manual intervention. After upgrading, this recovers automatically. If you've been seeing unexplained VM communication failures on nodes, this is likely the culprit.

主な変更 (5)
  • virt-handler now detects and auto-restarts the domain-notify server when the socket is deleted or exits unexpectedly — previously this caused silent failures
  • Fixed live migration reporting and enlightenment support after decentralized live migration sequences
  • ARM64 guests can now see SMBIOS system information; s390x VMs no longer fail due to unsupported PCIe root-port controllers introduced in v3 PCI topology
  • Backend storage volume names now use the fixed label 'persistent-state-for-this-vm' instead of embedding the VM name, which was causing truncation issues
  • VMExport failures with long PVC names fixed; memory dump PVCs now labeled correctly to support CDI WebhookPvcRendering
原文

KubeVirt

Orchestration & Management2026年4月24日

日本語 準備中KubeVirt v1.6.5 is a patch release with 61 fixes targeting decentralized live migration reliability, virt-handler stability, and monitoring accuracy.

  • breakingBackend storage volume rename may affect existing tooling

    VMs using backend storage volumes will now report the volume name as 'persistent-state-for-this-vm' rather than a name derived from the VM name. If you have scripts, dashboards, or alerts that reference the old volume naming pattern, update them before upgrading. Check if any PVC-based tooling depends on that name convention.

  • enhancementUpgrade if you rely on decentralized live migration

    Three separate bugs in decentralized live migration are fixed here: cross-volumeMode failures, broken migration for enlightened (Hyper-V) VMs, and incorrect 'succeeded' status reporting after compute migration. If your cluster runs Windows VMs or mixes volume modes, this patch directly unblocks those scenarios. Prioritize this upgrade over staying on v1.6.4.

  • enhancementMonitoring alert baselines are now more accurate

    The low-count alert for KubeVirt components now fires based on the configured replica count in the deployment, not a hardcoded value. Non-schedulable nodes are also excluded from kubevirt_allocatable_nodes. Review your existing alert thresholds after upgrading — alerts may behave differently if your environment has non-schedulable nodes or custom replica counts.

主な変更 (5)
  • virt-handler now auto-recovers when domain-notify.sock is deleted, preventing silent VM communication failures
  • Decentralized live migration gets multiple fixes: cross-volumeMode migrations complete successfully, enlightened VMs can migrate again, and migration status now correctly reports 'succeeded' after compute migration
  • Backend storage volumes now use a stable name ('persistent-state-for-this-vm') instead of embedding the VM name, which affects volume naming for existing VMs
  • Monitoring improvements: kubevirt_allocatable_nodes excludes non-schedulable nodes, and low-count alerts now use the deployment's configured replica count as baseline
  • Infinite VMI status update loop between virt-controller and virt-handler fixed when primary NIC was listed after secondary NICs in the spec
原文

Linkerd

Networking & Messaging2026年4月24日

日本語 準備中Maintenance-heavy edge release with OpenSSL/rustls security bumps, a policy admission fix for Gateway routes, and a more robust annotation-to-metric-label conversion in the injector.

  • securityPick up OpenSSL and rustls-webpki patches now

    Two OpenSSL crate bumps landed in this release, plus a rustls-webpki update. These sit in the proxy's TLS stack. If you're running any Linkerd edge build in a security-sensitive environment, upgrade to edge-26.4.4 to get the patched cryptographic dependencies rather than waiting for the next stable.

  • breakingVerify Gateway route policies after the admission webhook fix

    The admission webhook previously ran full validation on Gateway routes even when they contained fields Linkerd doesn't support, causing legitimate routes to be rejected. That's fixed now — but if you worked around this by restructuring routes, review whether those workarounds are still needed or are now masking misconfigurations.

  • enhancementTest chart override behavior if you use custom install values

    The fix to apply overrides to chart values on install closes a gap where certain Helm value overrides weren't being applied. If you have installation automation that relies on specific override patterns, run a dry-run install against this version to confirm the resulting values match expectations before rolling to production.

主な変更 (5)
  • OpenSSL crates bumped twice (0.10.76→0.10.78) and rustls-webpki updated — relevant for Rust-based proxy TLS surface
  • Policy admission webhook now skips validation for Gateway routes with unsupported fields, preventing false rejections
  • Injector uses more robust logic to convert annotations to metric labels, reducing edge-case label corruption
  • Chart install now applies overrides to chart values correctly, fixing a long-standing install customization gap
  • proxy-init updated to v2.4.8 and cni-plugin to v1.6.7 alongside proxy v2.350.0
原文

Envoy

Networking & Messaging2026年4月23日

日本語 準備中Envoy v1.38 is a massive release with several breaking changes requiring immediate action — RSA key usage enforcement, BoringSSL build flag changes, and tcp_proxy config validation are the top priorities before upgrading.

  • securityPatch CVE-2026-27135 by upgrading to v1.38

    This release includes the nghttp2 patch for CVE-2026-27135, which affects HTTP/2 header field handling. If you're running Envoy as an HTTP/2 gateway or proxy, this is a direct exposure. Prioritize upgrading clusters that terminate or proxy HTTP/2 traffic. RBAC header matcher also received a fix preventing concatenation-based bypass attacks — another reason to treat this upgrade as security-relevant.

  • breakingAudit TLS configs before upgrading — RSA key usage now enforced

    enforce_rsa_key_usage defaults to true starting this release and will be removed entirely next release, making it permanent. Any upstream TLS connection where the certificate's key usage doesn't match the negotiated cipher will be rejected. Before upgrading, audit your upstream certificate configurations. Test in staging first — silent failures in prod will be connection resets, not helpful error messages.

  • breakingUpdate BoringSSL FIPS build pipelines before building v1.38

    The --define=boringssl=fips Bazel flag is gone. CI/CD pipelines or Dockerfiles that build Envoy with FIPS mode will fail silently or error out. Replace with --config=boringssl-fips. If you're consuming official binaries rather than building from source, this doesn't affect you directly, but verify your supply-chain tooling if you maintain custom builds.

  • enhancementOpenTelemetry metrics over HTTP — drop the collector sidecar

    The OTel stat sink can now push metrics directly via OTLP/HTTP without requiring a collector sidecar. If you're running otel-collector as a DaemonSet purely for Envoy metrics forwarding, you can simplify that architecture. Evaluate whether direct OTLP/HTTP export to your backend (Grafana Cloud, Honeycomb, etc.) reduces operational overhead in your environment.

主な変更 (6)
  • enforce_rsa_key_usage now defaults to true on upstream TLS contexts — connections using mismatched RSA key usage will fail
  • BoringSSL FIPS build flag changed from --define=boringssl=fips to --config=boringssl-fips, breaking existing build pipelines
  • tcp_proxy requires explicit max_early_data_bytes for non-IMMEDIATE upstream_connect_mode, failing validation at startup if missing
  • CVE-2026-27135 patched in nghttp2 HTTP/2 header handling
  • OAuth2 token encryption is now on by default; opt-out requires explicit disable_token_encryption flag
  • Dynamic modules gain significant new extension points including tracers, TLS validators, and custom LB policies with ABI forward-compatibility to v1.39
原文
古い →
月別に見る