RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年4月解除 ×

Kyverno

Security2026年4月23日

日本語 準備中v1.16.4 is a security-focused patch release addressing 15+ CVEs across Kyverno's dependency chain, plus a critical behavioral change that disables HTTP in namespaced policies by default.

  • securityUpgrade immediately — 15+ CVEs patched, including supply chain components

    This release patches CVEs across sigstore/rekor, go-tuf, docker/cli, Go stdlib, and Kyverno's own code. Several of these touch the image verification and policy fetch paths. If you're running any image signing workflows with Kyverno, the rekor and go-tuf bumps are directly relevant. Plan an upgrade in your next maintenance window — do not wait for the next major cycle.

  • breakingHTTP disabled by default in namespaced policies (CVE-2026-4789) — test before upgrading

    Namespaced policies that fetch external data over plain HTTP will silently stop working after this upgrade. If you use URL context sources or external data fetches in namespaced ClusterPolicy or Policy resources, audit them for HTTP (non-HTTPS) endpoints before upgrading. This is a security hardening change, but it will break existing policies that relied on insecure endpoints. Switch those endpoints to HTTPS or migrate to HTTPS-capable data sources first.

  • breakingRestricted ConfigMap access for namespaced policies — RBAC may need review

    Namespaced policies now have reduced ConfigMap access scope. If your policies rely on reading ConfigMaps outside their namespace for context or configuration, those reads will fail post-upgrade. Review your policy definitions for cross-namespace ConfigMap references and adjust either the policy logic or the access grants accordingly before rolling out this version.

主な変更 (5)
  • CVE-2026-4789: HTTP disabled by default in namespaced policies — this is a behavioral change, not just a dep bump
  • Namespaced policies now have restricted ConfigMap access, tightening the blast radius of compromised policy controllers
  • Scoped token used for request authorization, replacing broader token usage in policy evaluation
  • forEach mutation panic fixed — previously could crash the engine on certain mutate rule configurations
  • Dependency CVEs resolved: docker/cli, sigstore/rekor, go-tuf/v2, stdlib, and others updated
原文

Kyverno

Security2026年4月23日

日本語 準備中v1.17.2 is a security-heavy patch release addressing multiple CVEs and fixing critical bugs in MutatingPolicy, ValidatingPolicy, webhook reconciliation, and namespaced policy handling.

  • securityUpgrade immediately — 6+ CVEs fixed in this release

    This release patches at least six CVEs across dependencies and Go stdlib, plus CVE-2026-4789 which disables HTTP in namespaced policies by default. If you run namespaced policies that rely on HTTP-based external data sources or webhooks, audit those configurations before upgrading — they will stop working silently. Upgrade path: update your Helm chart or manifests to v1.17.2 and validate policy behavior in a staging environment first.

  • breakingNamespaced policies: HTTP disabled and ConfigMap access restricted

    Two separate hardening changes affect namespaced policies. HTTP is now disabled by default (CVE-2026-4789), and ConfigMap access has been scoped down. If your namespaced policies fetch context from HTTP endpoints or read ConfigMaps outside their namespace, those policies will fail silently or error post-upgrade. Run a dry-run or audit scan against your namespaced policies before deploying to production.

  • enhancementWebhook reconciliation loop fix — reduces controller churn in large clusters

    Inconsistent webhook rule ordering was causing repeated reconciliation loops, which generates excess API server load and noisy controller logs. This is fixed. If you've been seeing constant webhook object churn in your audit logs or elevated kyverno-controller CPU, this release resolves it. No action needed post-upgrade, but worth monitoring controller metrics after rollout to confirm stabilization.

主な変更 (5)
  • Multiple CVEs patched: CVE-2026-24051, CVE-2026-15558, CVE-2026-1229, CVE-2026-33186, CVE-2026-34986, CVE-2026-4789 — plus Go stdlib CVE bumps
  • HTTP disabled by default in namespaced policies (CVE-2026-4789) — behavioral change for existing namespaced policy configurations
  • ConfigMap access restricted for namespaced policies — scope reduction to limit blast radius
  • Webhook reconciliation loop fixed: webhooks and webhook rules now maintain consistent ordering to prevent endless reconciliation cycles
  • forEach mutation engine panic prevented, wrong lister for NamespacedGeneratingPolicy on UPDATE fixed, and user info handling added to MutatingPolicy/ValidatingPolicy
原文

Kubernetes

Kubernetes Core2026年4月22日

日本語 準備中Kubernetes v1.36 is a large release with multiple GA promotions, significant DRA expansions, new gang-scheduling APIs, and several metric renames that require immediate action before upgrading.

  • breakingUpdate monitoring before upgrading: two metric renames

    The metrics `volume_operation_total_errors` and `etcd_bookmark_counts` have been renamed to `volume_operation_errors_total` and `etcd_bookmark_total` respectively. Any Prometheus alerts or Grafana dashboards using the old names will silently stop firing after upgrade. Audit your monitoring stack and update all references before rolling out v1.36 to production.

  • breakingDRA RBAC changes required if using DRAResourceClaimGranularStatusAuthorization

    The `DRAResourceClaimGranularStatusAuthorization` feature gate is beta and on by default in v1.36. DRA schedulers and controllers now need explicit `update`/`patch` on `resourceclaims/binding`, and DRA drivers need `associated-node:update` or `arbitrary-node:update` on `resourceclaims/driver` scoped to their specific `resourceNames`. If you run DRA drivers, audit and update their RBAC manifests before upgrading, or pods will fail to schedule.

  • breakingflex-volume and git-repo volume plugin removals

    kubeadm no longer mounts the flex-volume plugin directory automatically, and the git-repo volume plugin is permanently disabled. If any workloads still use git-repo volumes, they will stop working — there's no flag to re-enable it. Migrate to an init container pattern or a CSI driver. For flex-volumes in kubeadm environments, you must manually configure extraVolumes and a non-distroless KCM image before upgrading to v1.36.

  • breakingStrictIPCIDRValidation on by default — check your IP/CIDR fields

    API fields now reject IPs with leading zeros (e.g., `010.0.0.1`) and CIDRs with host bits set (e.g., `192.168.1.5/24` instead of `192.168.1.0/24`). Existing objects are preserved via validation ratcheting, but new creates and updates will fail if they use these formats. Audit your manifests, Helm charts, and automation for non-canonical IP/CIDR values before upgrading.

  • enhancementMutatingAdmissionPolicy is now GA — consider replacing webhook boilerplate

    MutatingAdmissionPolicy (CEL-based mutation) is now v1 and enabled by default. If you're running simple mutating webhooks that set defaults or inject labels/annotations, this is a good time to evaluate replacing them with MutatingAdmissionPolicy resources. CEL-based policies eliminate the need to maintain webhook servers, certificates, and availability concerns. Start with low-risk, stateless mutations.

主な変更 (7)
  • Two metric renames require dashboard/alert updates before upgrade: `volume_operation_total_errors` → `volume_operation_errors_total` and `etcd_bookmark_counts` → `etcd_bookmark_total`
  • flex-volume support removed from kubeadm; git-repo volume plugin disabled permanently — migrate to CSI if still using either
  • DRA gets major expansions: device taints/tolerations to beta, DRAAdminAccess and DRAPrioritizedList to GA, new list-type attributes, NativeResourceMappings, and granular RBAC for ResourceClaim status updates now required
  • UserNamespacesSupport graduates to GA; MutatingAdmissionPolicy reaches GA (v1) and is enabled by default
  • StrictIPCIDRValidation is now on by default — API fields reject IPs/CIDRs with leading zeros or ambiguous subnet masks
  • New scheduling.k8s.io/v1alpha2 Workload/PodGroup APIs introduced for gang-scheduling; v1alpha1 Workload API removed
  • InPlacePodLevelResourcesVerticalScaling graduates to beta (on by default), enabling in-place CPU/memory resize at the pod level
原文

CoreDNS

Kubernetes Core2026年4月22日

日本語 準備中CoreDNS v1.14.3 ships full TSIG verification across all transports, multiple Go security CVE fixes, cache prefetch improvements, and a new forward plugin max_age option — a solid operational hardening release.

  • securityUpgrade immediately for 13 Go CVE fixes and TSIG transport hardening

    Go 1.26.2 in this build addresses 13 CVEs. Beyond the runtime fixes, TSIG verification gaps in DoH, DoH3, QUIC, and gRPC transports are now closed — if you run any of those transports with TSIG, unauthenticated requests could previously slip through. Upgrade to v1.14.3 and verify your TSIG configurations are still valid after the stricter enforcement.

  • breakingDoH oversized GET requests are now rejected — validate your clients

    CoreDNS now rejects oversized dns query parameters in DoH GET requests. Any client sending unusually large DNS-over-HTTPS GET queries will start getting errors. Test your DoH clients against this build in staging before rolling out; most well-behaved clients are unaffected, but custom or non-standard DoH implementations should be checked.

  • enhancementUse max_age in the forward plugin to prevent stale upstream connections

    Long-lived upstream connections can silently degrade or get dropped by middleboxes. The new max_age option in the forward plugin lets you set an absolute connection lifetime. If you've seen sporadic upstream timeouts or resolution failures that resolve themselves, configure max_age to force periodic reconnection — start with something like 30s–5m depending on your upstream stability.

主な変更 (5)
  • Full TSIG verification now enforced on DoH, DoH3, QUIC, and gRPC transports — previously these transports lacked complete verification
  • Built with Go 1.26.2, patching 13 CVEs including CVE-2026-32282, CVE-2026-32289, CVE-2026-33810, and others
  • Cache prefetching reworked to release client connections before fetching upstream, preventing connection exhaustion under load
  • New max_age option in the forward plugin enforces absolute connection lifetime, helping with stale upstream connection issues
  • Metrics endpoint now supports optional TLS, and Go runtime metrics can be selectively exported
原文

wasmCloud

Orchestration & Management2026年4月21日

日本語 準備中v2.0.4 is a minor maintenance release with TLS improvements for wash dev/host, a Helm chart fix for gateway routing, and governance updates.

  • breakingCheck your Helm chart values if using local gateway routing

    The gateway is now disabled in values.local.yaml, and the hello-world example routes through a Kubernetes Service instead. If you forked or customized local Helm values with gateway-based routing, your setup may stop working after this update. Review your local values files against the updated defaults before upgrading.

  • enhancementEnable TLS on wash dev/host if you're running local or production clusters

    TLS support now works across both wash dev and wash host. If you've been skipping TLS for local dev because it was unsupported, that excuse is gone. Test your TLS config in dev to catch certificate or connection issues before they surface in production.

主な変更 (5)
  • TLS support extended to both wash dev and wash host commands
  • Helm chart fix: gateway disabled in values.local.yaml, hello-world now routes via Service instead
  • Governance docs updated for wasmCloud v2, including new wash maintainer (Pavel Agafonov)
  • Shared WIT dependency infrastructure added for testing
  • WASI Preview 2 documentation link corrected
原文

Argo

CI/CD & App Delivery2026年4月21日

日本語 準備中Argo CD v3.3.8 is a patch release with six bug fixes targeting core mode syncs, AppSet resource limits, CLI diff accuracy, and informer cache staleness.

  • breakingRefresh behavior changed again — validate your autosync pipelines

    The revert of the informer resync fix means refresh behavior is back to pre-3.3.7 state. If you tuned anything around reduced refresh frequency after upgrading to 3.3.7, re-examine those assumptions. Check autosync event logs to confirm expected behavior before promoting to production.

  • enhancementCore mode users: upgrade immediately to unblock syncs

    The missing server.secretkey bug caused silent sync failures in core mode deployments — a serious operational gap that's easy to miss in monitoring. If you run Argo CD in core mode, this patch is not optional. Upgrade, then verify sync status across all applications post-upgrade.

  • enhancementLarge ApplicationSets now default to 5,000 resource status entries

    If you manage ApplicationSets with hundreds of apps, you may have hit the old resource status count ceiling without realizing it. After upgrading, review any ApplicationSets that showed truncated or missing resource statuses and confirm they now report correctly.

主な変更 (6)
  • Reverted an earlier fix that prevented automatic refreshes from informer resync and status updates — the revert restores previous refresh behavior
  • App controller in core mode no longer fails to sync when server.secretkey is missing
  • AppSet resource status count ceiling raised to 5,000 by default (up from prior limit)
  • CLI app diff/manifests now correctly use DrySource revision when sourceHydrator is active
  • Stale informer cache in RevisionMetadata handler resolved, reducing phantom diff scenarios
  • Autosync event message format reverted to match pre-regression output
原文

Argo

CI/CD & App Delivery2026年4月21日

日本語 準備中Argo CD v3.2.10 is a pure bug-fix patch that resolves five regressions, including a critical core-mode sync failure and a stale cache issue in RevisionMetadata.

  • breakingCore-mode deployments: upgrade immediately if apps are stuck out-of-sync

    If you run Argo CD in core mode (no API server) and recently saw apps failing to sync with secret-related errors, the missing server.secretkey bug was silently blocking all syncs. Upgrade to v3.2.10 and verify affected apps reconcile cleanly afterward.

  • breakingAutosync event message format reverted — re-check any alerting rules you updated

    A message format change introduced recently and then reverted means the autosync event messages are back to their original format. If you updated Prometheus alerting rules, Grafana queries, or log parsers to match the new format, roll those changes back before upgrading to avoid false positives or missed alerts.

  • enhancementsourceHydrator users: upgrade to get correct app diff behavior

    The CLI was using the wrong source revision for app diff and manifests commands when sourceHydrator was in use, meaning you could be reviewing diffs against the wrong state. After upgrading, re-run any diff checks you performed on v3.2.9 to confirm the output is accurate.

主な変更 (5)
  • Reverted an over-aggressive change that blocked automatic refreshes from informer resync and status updates — restoring expected GitOps sync behavior
  • Fixed app controller in core mode failing to sync when the server.secretkey is missing — a silent failure that could leave apps permanently out-of-sync
  • Fixed CLI app diff/manifests using the wrong revision when sourceHydrator is configured
  • Fixed stale informer cache reads in the RevisionMetadata handler, preventing outdated metadata from being served
  • Reverted an autosync event message format change that broke downstream log parsing or alerting rules
原文

Argo

CI/CD & App Delivery2026年4月21日

日本語 準備中Patch release with two targeted bug fixes: a revert of a problematic refresh prevention change and a core mode sync failure when server.secretkey is absent.

  • breakingRevert of refresh-prevention fix may re-expose original behavior

    The cherry-picked fix for preventing automatic refreshes from informer resyncs and status updates was reverted because it caused problems in 3.1. If you upgraded to 3.1.x specifically expecting that behavior to be fixed, it's gone again. Watch the upstream issue for a corrected implementation before relying on it. No action needed otherwise, but be aware of potential extra refresh churn in large clusters.

  • enhancementUpgrade immediately if running Argo CD in core mode without server.secretkey

    A bug caused the application controller to fail syncing entirely when running in core mode and the server.secretkey was absent from the cluster secret. If your core-mode installations have ever had intermittent sync failures that were hard to diagnose, this is likely the culprit. Upgrade to 3.1.15 and verify syncs resume normally after rollout.

主な変更 (3)
  • Reverted the automatic refresh prevention fix (#25290) that was cherry-picked into 3.1 — the fix itself caused regressions
  • Fixed app controller core mode failing to sync when server.secretkey is missing from the cluster secret
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文

cert-manager

Security2026年4月21日

日本語 準備中Pure security patch: Go runtime bumped to 1.23.9 and vulnerable dependencies updated. No functional changes — upgrade is the only action needed.

  • securityUpgrade to v1.19.5 immediately — this is a pure CVE fix

    The cert-manager team explicitly recommends all users upgrade. The changes are limited to Go runtime and dependency bumps, so there is no functional risk in upgrading. If you are on any v1.19.x release, this is a straight swap with no migration steps. Check your deployment method (Helm, static manifests, OperatorHub) and roll it out to all clusters. Delaying leaves your cert-manager pods running with known vulnerable Go packages.

主な変更 (3)
  • Go runtime upgraded from an older 1.23.x to 1.23.9 to address multiple CVEs in the Go toolchain
  • Third-party Go dependencies with reported vulnerabilities bumped to patched versions
  • No API, behavioral, or configuration changes — drop-in replacement for v1.19.x
原文

Flux

CI/CD & App Delivery2026年4月21日

日本語 準備中Flux v2.8.6 is a patch release fixing helm-controller post-renderer conflicts, a notification-controller regression for generic providers, and adding a MigrateAPIVersion feature gate in kustomize-controller.

  • breakingAdd 'audience' to GCR Receiver secrets before upgrading to v2.9

    The 'audience' field on GCR Receiver secrets is currently optional but will become mandatory in v2.9. Audit your Receiver resources now and add the audience field to any GCR-backed secrets. Doing this proactively prevents a hard failure on your next major upgrade.

  • breakingGeneric provider commit status events were broken — upgrade immediately if you rely on them

    A regression in notification-controller stopped generic providers from forwarding commit status events. If your CI/CD pipelines depend on those webhooks for pipeline gating or observability, they have been silently failing since the prior release. This patch restores that behavior — upgrade to v2.8.6 without delay.

  • enhancementUse MigrateAPIVersion feature gate when managing resources with deprecated API versions

    If kustomize-controller manages resources that use older API versions tracked in managed field entries, the new MigrateAPIVersion feature gate handles migration automatically. Enable it in environments where you're seeing API version drift or drift detection noise from deprecated APIs.

主な変更 (5)
  • helm-controller: Fixed post-renderer conflict when hooks and templates overlap, and force-replace is now ignored when server-side apply is enabled
  • notification-controller: Regression fix restoring commit status forwarding for generic providers — if you use generic webhooks, this one matters
  • notification-controller: GCR Receiver secrets now require the 'audience' field; not yet mandatory but will be enforced in v2.9
  • kustomize-controller: New MigrateAPIVersion feature gate to handle API version migration in managed field entries
  • source-controller and image-automation-controller updated to go-git v5.18.0 for faster Git operations
原文

KubeVirt

Orchestration & Management2026年4月20日

日本語 準備中KubeVirt v1.8.2 is a patch release with 12 bug fixes covering hotplug volumes, live migration, TLS config, qcow2 disk handling, and multi-arch VM stability.

  • breakingBackend storage volume naming changed — check for impacts

    VMs using backend storage volumes will now report the volume name as 'persistent-state-for-this-vm' instead of a name derived from the VM name. If you have monitoring alerts, scripts, or tooling that match on the old volume name pattern, they will silently break. Audit any automation that references backend storage volume names before upgrading.

  • enhancementUpgrade s390x and ARM64 clusters — arch-specific VM failures resolved

    Two separate fixes land here: ARM64 guests now correctly expose SMBIOS system info, and s390x VMs failing to create due to unsupported PCIe root-port controllers from the v3 PCI topology change are fixed. If you're running multi-arch clusters and held back on v1.8.x due to these issues, v1.8.2 is the version to move to.

  • enhancementTLS config from KubeVirt CR now respected by sync-controller and virt-exportserver

    Previously, the sync-controller healthz server and virt-exportserver ignored the TLSConfiguration set in the KubeVirt CR, potentially using weaker defaults. After upgrading, verify your KubeVirt CR TLS settings are correct — they'll actually take effect now. This matters most for clusters with strict cipher or TLS version requirements.

主な変更 (6)
  • virt-handler now auto-restarts the notify server when domain-notify.sock is deleted, preventing silent VM communication failures
  • Hotplug volumes stuck in 'Detaching' phase are now correctly resolved
  • Fixed migration status not reporting 'succeeded' after decentralized live migration with compute migration
  • qcow2 overlay disks now correctly resolve source, preventing wrong disk expansion and incorrect cache/IO mode
  • s390x VM creation failures from unsupported PCIe root-port controllers (introduced in v3 PCI topology) are fixed
  • Backend storage volumes now use a stable name 'persistent-state-for-this-vm' instead of embedding the VM name
原文

Contour

Networking & Messaging2026年4月20日

日本語 準備中v1.33.4 is a security-critical patch fixing a Lua code injection CVE in Contour's Cookie Rewriting feature — upgrade immediately, and note the hard Envoy 1.35.0 minimum requirement.

  • securityPatch CVE-2026-41246 immediately — arbitrary code execution risk in shared Envoy

    Any tenant with RBAC permissions to create or modify HTTPProxy resources could inject arbitrary Lua code through a crafted pathRewrite value. In multi-tenant clusters where Envoy is shared infrastructure, this means a compromised or malicious tenant could steal xDS client credentials or deny service to other tenants. Upgrade Contour to v1.33.4 and ensure Envoy is at 1.35.0 or later before deploying. Audit your RBAC policies to limit HTTPProxy write access to trusted principals as a defense-in-depth measure.

  • breakingEnvoy 1.35.0 minimum — verify your Envoy version before upgrading Contour

    This release will not function correctly with Envoy versions older than 1.35.0 due to the new filterContext-based Lua approach. If you manage your own Envoy image or pin versions, upgrade Envoy first. The bundled Envoy in the official manifests is already at v1.35.10, so if you use the standard deployment you're covered — but custom or air-gapped environments need explicit attention here.

  • enhancementReview HTTPProxy RBAC regardless of upgrade timing

    Even after patching, the underlying attack surface is broad write access to HTTPProxy resources. Take this as a signal to tighten RBAC: restrict HTTPProxy creation/modification to platform operators rather than application developers where possible. In high-trust multi-tenant environments this kind of privilege separation is the right long-term control.

主な変更 (4)
  • CVE-2026-41246 fixed: Lua code injection via malicious cookieRewritePolicies pathRewrite values could allow arbitrary code execution in Envoy
  • Cookie Rewriting feature redesigned: text/template generation dropped in favor of structured filterContext data passed to a static Lua script
  • Envoy 1.35.0 is now a hard minimum requirement for this release
  • Bundled Envoy bumped to v1.35.10
原文

Contour

Networking & Messaging2026年4月20日

日本語 準備中v1.32.5 is a security patch fixing a Lua code injection vulnerability (CVE-2026-41246) in Contour's Cookie Rewriting feature, plus an Envoy bump to v1.34.14. Upgrade immediately in multi-tenant environments.

  • securityPatch CVE-2026-41246 immediately in multi-tenant clusters

    Any cluster where untrusted users or teams have RBAC permissions to create or modify HTTPProxy resources is directly exposed. An attacker crafts a pathRewrite.value that breaks out of the Lua string context, gaining code execution in Envoy — which runs as shared infrastructure. That means credential theft (xDS client certs) or denial of service for every tenant on the same Envoy instance. Upgrade to v1.32.5 now. While you prepare the upgrade, audit who has create/update rights on HTTPProxy and tighten RBAC to the minimum necessary.

  • breakingReview existing cookieRewritePolicies after upgrade

    The fix adds escaping to pathRewrite.value inputs. Legitimate values with special characters (backslashes, quotes, etc.) will now be escaped before Lua interpolation, which changes runtime behavior. Test any HTTPProxy resources using cookieRewritePolicies[].pathRewrite.value in a staging environment post-upgrade to confirm cookie rewriting still behaves as expected.

  • enhancementEnvoy v1.34.14 is bundled — no separate action needed

    The Envoy bump is included in the Contour image. If you run a managed Envoy deployment alongside Contour, verify your Envoy image is also updated to v1.34.14 to stay consistent with Contour's tested configuration.

主な変更 (5)
  • CVE-2026-41246 fixed: Lua code injection via malicious cookieRewritePolicies[].pathRewrite.value in HTTPProxy resources
  • Attackers with HTTPProxy RBAC write access could achieve arbitrary code execution inside the shared Envoy proxy
  • Injected code could exfiltrate Envoy's xDS client credentials or cause DoS for co-located tenants
  • Fix escapes user-provided cookie path rewrite values before Lua interpolation
  • Envoy updated to v1.34.14
原文

Contour

Networking & Messaging2026年4月20日

日本語 準備中Contour v1.31.6 patches a Lua code injection vulnerability (CVE-2026-41246) in Cookie Rewriting that could allow arbitrary code execution in shared Envoy infrastructure.

  • securityPatch immediately if you allow untrusted users to create/modify HTTPProxy resources

    CVE-2026-41246 is a privilege escalation path in multi-tenant clusters. Any user with RBAC write access to HTTPProxy objects can inject arbitrary Lua into Envoy — and since Envoy is shared infrastructure, the blast radius extends to other tenants and exposes xDS credentials. Upgrade to v1.31.6 now. If you cannot upgrade immediately, audit existing HTTPProxy objects for suspicious pathRewrite values and tighten RBAC so only trusted principals can write HTTPProxy resources.

  • enhancementReview RBAC around HTTPProxy write permissions regardless of upgrade status

    This CVE class — user-controlled values interpolated into code — is a design risk whenever untrusted users can write Kubernetes custom resources that drive proxy configuration. Use this as a prompt to apply least-privilege RBAC on HTTPProxy, HTTPRoute, and similar resources across your clusters. Namespace-scoped RBAC and admission webhooks that validate pathRewrite values are good mitigations to layer on top of the patch.

主な変更 (4)
  • Security fix for CVE-2026-41246: Lua code injection via malicious cookieRewritePolicies[].pathRewrite.value in HTTPProxy resources
  • Injected code could exfiltrate Envoy xDS client credentials from the filesystem or cause DoS for co-tenants
  • Fix escapes user-provided values before interpolation into Lua code — no API changes required
  • Envoy bumped to v1.34.14
原文

Crossplane

Orchestration & Management2026年4月20日

日本語 準備中Crossplane v2.2.1 patches two user-reported bugs — ImageConfig prefix rewrite dependency upgrades and ResourceSelector handling — plus a broad sweep of security dependency updates.

  • securityUpgrade to v2.2.1 immediately for dependency security fixes

    This release pulls in security patches for at least 8 upstream libraries including cosign, go-git, go-jose, and cloudflare/circl. These are not cosmetic bumps — go-git had two separate security-tagged updates in this release alone (v5.17.1 and v5.18.0). If you're running v2.2.0, plan the upgrade now. The patch is a drop-in replacement with no breaking changes.

  • breakingVerify your ImageConfig prefix rewrite setups after upgrading

    If you use ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry mirror), your packages may have been silently stuck on stale dependency versions before this fix. After upgrading to v2.2.1, expect Crossplane to reconcile and potentially upgrade dependent packages that were previously frozen. Review installed package versions post-upgrade to confirm the expected state.

  • enhancementComposition functions can now use broad ResourceSelectors safely

    Composition functions that need to select all existing resources of a given kind no longer need workarounds. A ResourceSelector with only apiVersion and kind set is now valid. If you patched around this limitation with explicit matchLabels or matchName wildcards, you can simplify those selectors in your function logic.

主な変更 (5)
  • Fixed: packages installed via ImageConfig prefix rewrites were silently skipping dependency upgrades, leaving stale versions in place
  • Fixed: composition functions returning a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security tag
  • Security updates across: cosign, go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTel OTLP HTTP trace exporter
  • CI workflow hardening: mitigated potential script injection in the promote workflow and added required job-level permissions
原文

Crossplane

Orchestration & Management2026年4月20日

日本語 準備中v2.1.5 patches three behavioral bugs (ImageConfig upgrades, ResourceSelector matching, circuit breaker resets) and pulls in a broad sweep of security dependency updates including Go 1.25.9.

  • securityUpgrade to v2.1.5 promptly — this release addresses multiple CVEs in core dependencies

    The dependency list here is long: grpc, go-git (patched twice), go-jose, cloudflare/circl, moby/spdystream, docker/cli, and the OTel OTLP trace exporter all received security updates, plus Go itself was bumped to 1.25.9. Any of these could carry CVEs relevant to your threat model. This isn't a routine chore bump — prioritize this upgrade over staying on v2.1.4.

  • breakingCheck for silently stale packages if you use ImageConfig prefix rewrites

    If your environment uses ImageConfig to rewrite registry prefixes, dependent packages may have been silently pinned at outdated versions since the bug was introduced. After upgrading to v2.1.5, verify that your package dependency graph resolves to the expected versions — stale packages won't auto-upgrade retroactively, so you may need to trigger a reinstall or version bump manually.

  • enhancementResourceSelector 'select all of a kind' unlocks cleaner composition function patterns

    If you've been working around the previous rejection of bare apiVersion/kind selectors — adding dummy matchLabels or splitting logic — you can now clean that up. A selector with no match fields is treated as 'give me all resources of this kind,' which is the intuitive behavior. Review your composition functions for any workarounds and simplify them after upgrading.

主な変更 (5)
  • ImageConfig prefix rewrite users were silently stuck on stale dependency versions — now dependency upgrades work correctly through rewrites
  • Composition functions can now use a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) to select all resources of a given kind
  • Circuit breaker state is now cleared on XR deletion, preventing newly recreated XRs from being blocked by leftover breaker state
  • Security dependency bumps across grpc, go-git, go-jose, cloudflare/circl, moby/spdystream, docker/cli, sigstore, and OTel OTLP HTTP exporter
  • Go runtime bumped to 1.25.9 for underlying security fixes
原文

Crossplane

Orchestration & Management2026年4月20日

日本語 準備中v2.0.8 fixes two user-reported bugs (ImageConfig prefix rewrite upgrades, ResourceSelector with no match field) and patches multiple security vulnerabilities in upstream dependencies.

  • securityUpgrade to v2.0.8 immediately for dependency security patches

    Multiple upstream dependencies received security-tagged fixes in this release — go-git (two separate bumps to v5.17.1 then v5.18.0), go-jose, cloudflare/circl, and others. These aren't just routine bumps; they carry CVE-related fixes. If you're running any v2.0.x release prior to v2.0.8, upgrade now. There are no API changes, so the upgrade path is straightforward.

  • breakingAudit packages installed via ImageConfig prefix rewrites for stale dependencies

    If your environment uses ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry), dependent packages may have been silently stuck on outdated versions since you adopted that configuration. After upgrading to v2.0.8, force a reconciliation and verify that all package dependencies are on their expected versions — don't assume the upgrade alone will catch everything already in a stuck state.

  • enhancementUse bare ResourceSelector (apiVersion+kind only) for 'select all' semantics in composition functions

    Previously, omitting matchName and matchLabels from a ResourceSelector caused Crossplane to reject the request outright. That's now fixed — a bare selector correctly means 'all resources of this kind'. If you worked around this limitation by enumerating resources explicitly or adding dummy match conditions, clean up those workarounds after upgrading.

主な変更 (5)
  • ImageConfig prefix rewrite: dependency upgrades now propagate correctly — packages were silently stuck on stale versions before this fix
  • ResourceSelector with only apiVersion+kind (no matchName/matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security fixes
  • Security patches across go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTLP HTTP trace exporter
  • CI workflow hardened against potential script injection in the promote pipeline
原文

Crossplane

Orchestration & Management2026年4月20日

日本語 準備中v1.20.6 is a security-focused patch release fixing multiple dependency CVEs and hardening CI workflows against script injection attacks.

  • securityUpgrade to v1.20.6 immediately — multiple dependency CVEs patched

    Five separate security dependency updates landed in this release, covering cryptography (circl), git operations (go-git), HTTP/2 streaming (spdystream), and telemetry export (otelhttp). Any Crossplane v1.20.x deployment is exposed until upgraded. This isn't a theoretical risk — go-git had two separate security fixes within this single patch release, which signals active exploitation concern. Run your upgrade now.

  • securityCI/CD supply chain hardening — audit your own pipelines

    The Crossplane team mitigated script injection in their release promotion workflow and tightened GitHub Actions job permissions. If you're running Crossplane forks, mirrors, or custom automation that builds on top of Crossplane's CI patterns, audit your own workflows for similar issues: untrusted input in run steps and overly broad GITHUB_TOKEN permissions are the two patterns to check.

  • enhancementTrivy scanning dropped from CI — don't let it drop from yours

    Crossplane dropped Trivy from their CI pipeline in this release. This is an internal CI decision, but if your team was relying on Crossplane's upstream scan results as a proxy for your own security posture, that signal is now gone. Make sure you have independent vulnerability scanning on your Crossplane images and provider images in your own pipelines.

主な変更 (5)
  • go-git/go-git updated twice (v5.17.1 → v5.18.0) to address security vulnerabilities in git operations
  • cloudflare/circl updated to v1.6.3 for cryptographic library security fixes
  • moby/spdystream updated to v0.5.1 to patch a security issue in HTTP/2 stream handling
  • OpenTelemetry OTLP trace exporter updated to v1.43.0 with security fixes
  • CI workflow hardened against script injection and permission escalation vulnerabilities
原文

Kubescape

Security2026年4月17日

日本語 準備中Kubescape v4.0.5 is a routine maintenance release: Go toolchain update plus dependency bumps. No new features or bug fixes.

  • securityUpgrade to pick up Go runtime and dependency CVE fixes

    Go version bumps often patch stdlib vulnerabilities (e.g., net/http, crypto) that affect compiled binaries. If you're running Kubescape as a cluster component or in CI pipelines, pull this update. Check your current version with 'kubescape version' and replace the binary or update your container image tag. Low effort, low risk.

  • enhancementPin to this patch version in your automation

    If you're using Kubescape in CI/CD security scanning pipelines, update your pinned version to v4.0.5 to stay current with the dependency graph. This is especially relevant if your org has SCA tooling that flags transitive dependency staleness in scan tooling itself — a common audit finding.

主な変更 (3)
  • Go version updated to address potential toolchain-level vulnerabilities and compatibility
  • Dependency versions bumped across go.mod/go.sum
  • No functional changes, API changes, or new features introduced
原文

Kubescape

Security2026年4月17日

日本語 準備中v4.0.4 is a dependency maintenance release with security-relevant library bumps across gRPC, go-git, cloudflare/circl, go-jose, and hashicorp/go-getter, plus minor CLI bug fixes.

  • securityUpgrade immediately due to security-sensitive dependency updates

    Several updated libraries — hashicorp/go-getter, cloudflare/circl, go-jose, and go-git — have histories of CVEs covering path traversal, cryptographic weaknesses, and JWT attacks. While Kubescape's release notes don't call out specific CVEs, the jump from go-getter 1.7.9 to 1.8.6 and go-git 5.16.5 to 5.17.1 are both large version gaps. If you run Kubescape in CI pipelines or as part of automated scanning, update to v4.0.4 now rather than waiting for a scheduled maintenance window.

  • enhancementHelm 3.20.2 and gRPC 1.79.3 bring compatibility improvements

    The Helm SDK bump to 3.20.2 means Kubescape's chart scanning logic stays aligned with current Helm releases. If your clusters use recent Helm chart features, earlier Kubescape versions may have produced incomplete or inaccurate scan results. Rerun chart-level scans after upgrading to confirm coverage.

  • enhancementFix for duplicate flags in `scan image` — check any wrapper scripts

    If you have shell scripts or CI configs that pass flags explicitly to `kubescape scan image`, the duplicate-flag bug could have caused unexpected behavior or silent flag ignoring. After upgrading, verify your pipeline invocations still produce expected output.

主な変更 (5)
  • hashicorp/go-getter bumped from 1.7.9 to 1.8.6 — this library has a history of security CVEs around path traversal and SSRF
  • cloudflare/circl updated from 1.6.1 to 1.6.3, addressing cryptographic library fixes
  • go-jose/go-jose updated to 4.1.4, patching JWT/JWE handling issues
  • go-git bumped to 5.17.1 — prior versions had known git protocol vulnerabilities
  • Duplicate CLI flags removed from `scan image` subcommand, and error handling improved
原文

Dapr

Orchestration & Management2026年4月16日

日本語 準備中Critical security patch fixing ACL bypass via path traversal in service invocation — any deployment using access control policies must upgrade immediately.

  • securityUpgrade immediately if you use service invocation ACLs

    This is a real ACL bypass, not a theoretical one. If your Dapr deployment uses access control policies for service invocation and the Dapr API is reachable by untrusted callers — even internal ones — you are vulnerable. The gRPC vector is especially dangerous since it passes method strings raw with no sanitization. Upgrade to v1.15.14 now. There is no workaround short of disabling service invocation or isolating the Dapr API entirely.

  • securityAudit who can reach your Dapr API endpoints

    This vulnerability required API access, so the blast radius depends entirely on your network posture. After upgrading, take the opportunity to review which workloads and network paths can reach the Dapr HTTP and gRPC APIs. Sidecar-only access (localhost) is the safest posture — if you're exposing Dapr APIs more broadly, tighten that regardless of this fix.

  • breakingVerify your service invocation method paths still route correctly after normalization

    The fix applies path.Clean normalization to all method paths and rejects any containing #, ?, null bytes, or control characters. If any of your services legitimately use encoded slashes (%2F) as path separators in method names — particularly over gRPC where these were previously passed through raw — those calls will now behave differently. Test your service-to-service invocation patterns before rolling this to production.

主な変更 (5)
  • Path traversal sequences (e.g., admin%2F..%2Fpublic) could bypass service invocation ACL policies entirely
  • Encoded fragment (%23) and query (%3F) characters caused ACL to evaluate a different path than what reached the target app
  • A bare % character could crash ACL normalization, potentially bypassing the policy altogether
  • Fix normalizes method paths at the invocation edge using path.Clean, with rejection of #, ?, null bytes, and control characters
  • Go updated to v1.25.9 to cover CVEs in the 1.24 line; purell dependency removed from ACL path
原文

Argo

CI/CD & App Delivery2026年4月16日

日本語 準備中Argo CD v3.3.7 is a patch release fixing controller performance regressions, OIDC config handling, and several UI/security header issues.

  • securitySwagger UI endpoints now have clickjacking protection — upgrade if exposed

    X-Frame-Options and Content-Security-Policy headers were missing from Swagger UI endpoints. If your Argo CD API server is reachable from browsers (even internally), those endpoints were frameable. Upgrade to 3.3.7 to close this. No config change needed post-upgrade.

  • breakingOIDC auth may behave differently after upgrade if config was stale

    The fix ensures OIDC config reloads on server restart rather than using a cached/stale version. In practice this is a correctness fix, but if you've been working around stale OIDC behavior with manual pod restarts, verify SSO flows after upgrading to confirm expected behavior.

  • enhancementUpgrade if you're seeing excessive reconciliation or controller CPU spikes

    Two separate fixes address controller overhead: the parentUIDToChildren data structure change reduces memory churn on large clusters, and the informer resync fix stops unnecessary app refreshes that inflate API server load. If your controller is burning CPU or you're seeing constant reconcile loops, this patch is worth prioritizing.

主な変更 (5)
  • Controller performance improved: switched parentUIDToChildren to map-of-sets and reduced secret deep copies/deserialization overhead
  • OIDC config now properly refreshes on server restart — previously stale config could cause auth failures
  • X-Frame-Options and CSP headers added to Swagger UI endpoints, closing a clickjacking exposure
  • Prevented automatic refreshes triggered by informer resync and status updates, reducing unnecessary reconciliation churn
  • Fixed repo-server crashes caused by symlink handling in copyutil and missing repo.insecure flag propagation to helm dependency build
原文

Dapr

Orchestration & Management2026年4月16日

日本語 準備中v1.17.5 is a security-only patch fixing a path traversal vulnerability that allowed attackers to bypass service invocation ACL policies via encoded URL characters.

  • securityUpgrade immediately if you use service invocation ACLs

    Any deployment with access control policies for service invocation is vulnerable. An attacker with Dapr API access (HTTP or gRPC) could reach denied endpoints by encoding the path. gRPC is especially risky since method strings were passed raw. Upgrade to v1.17.5 now — there is no workaround short of removing Dapr API exposure entirely. After upgrading, audit your ACL policies to confirm expected paths are actually being enforced.

  • breakingMethod paths with #, ?, null bytes, or control characters are now rejected

    The fix adds strict validation: method paths containing #, ?, null bytes, or control characters are now rejected at the invocation edge. If any of your services use these characters in method paths (uncommon but possible with gRPC), those calls will fail after upgrade. Test your service invocation paths in a staging environment before rolling this to production.

主な変更 (5)
  • Path traversal sequences (e.g., %2F, ../) in service invocation method paths could bypass ACL checks — now fixed
  • Encoded fragment (%23) and query (%3F) characters caused ACL to evaluate a different path than what the target app received
  • A bare % character could crash ACL normalization, potentially disabling the policy entirely
  • gRPC was the more dangerous vector since it passes method strings raw with no client-side sanitization
  • Fix: normalization now happens at the invocation edge using path.Clean; purell dependency removed from ACL path
原文

Dapr

Orchestration & Management2026年4月16日

日本語 準備中Critical security fix: path traversal and encoded characters in service invocation method paths could bypass ACL policies entirely. Upgrade immediately if you use access control policies.

  • securityUpgrade immediately if you use Dapr ACL policies

    Any deployment with service invocation access control policies is vulnerable. An attacker with access to the Dapr HTTP or gRPC API can craft method paths that the ACL permits but route to denied endpoints. The gRPC vector is especially dangerous since no client-side sanitization occurs. Upgrade to v1.16.14 now — there is no viable workaround short of removing Dapr API access entirely. After upgrading, audit your ACL policy rules to confirm they match the normalized path forms (resolved ../ and no encoded separators).

  • breakingMethod paths with #, ?, null bytes, or control characters are now rejected

    The fix actively rejects method paths containing fragment (#), query (?), null bytes, or control characters rather than silently normalizing them. If any of your services invoke methods with these characters (unlikely but possible via programmatic gRPC calls), those calls will fail after upgrading. Review your service invocation call sites — especially any that construct method paths dynamically — before rolling this out to production.

主な変更 (5)
  • Path traversal sequences (../), encoded slashes (%2F), fragment (%23), query (%3F), and bare % in method paths could all bypass ACL policy checks
  • gRPC was the higher-risk vector — method strings are passed raw with no client-side sanitization, making all special characters exploitable
  • Root cause was a normalization mismatch: ACL evaluated a decoded/cleaned path while the target app received the raw original string
  • Fix applies path.Clean normalization at the invocation edge (before both ACL check and dispatch), and now rejects methods containing #, ?, null bytes, or control characters
  • The purell library has been removed from the ACL path; gRPC treats percent-encoded sequences as opaque literal characters, not path separators
原文

Argo

CI/CD & App Delivery2026年4月16日

日本語 準備中Argo CD v3.1.14 is a small patch fixing unnecessary app refreshes and a CI lockfile issue, plus a dependency bump for fast-xml-parser.

  • securityfast-xml-parser bump closes potential parsing vulnerabilities

    The fast-xml-parser library was bumped three minor versions. These kinds of XML parser updates often address denial-of-service or entity expansion issues. While Argo CD's exposure surface for this library is limited to the UI, staying current here is straightforward — just upgrade and verify UI functionality in your staging environment.

  • enhancementUpgrade if informer resync is flooding your refresh queue

    The fix for automatic refreshes triggered by informer resync and status updates is the real reason to pick up this patch. If you've been seeing excessive app refresh activity or high controller CPU load during resync windows, this addresses the root cause. Deploy this patch during your next maintenance window — it's low risk.

主な変更 (4)
  • Prevents automatic refreshes triggered by informer resync and status updates — a meaningful reduction in unnecessary reconciliation noise
  • Fixes yarn install running without --frozen-lockfile in CI, improving build reproducibility
  • Bumps fast-xml-parser from 4.5.3 to 4.5.6 in the UI dependency tree
  • All container images remain cosign-signed with SLSA Level 3 provenance
原文
← 新しい古い →
月別に見る