RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

2026年6月解除 ×

OpenKruise

CI/CD & App Delivery2026年6月21日

日本語 準備中OpenKruise v1.9.0 adds several useful workload features and fixes a pile of stability bugs — including CPU-spike and panic fixes that affect anyone running ImagePullJobs or SidecarSets in production.

  • breakingString-formatted maxUnavailable/maxSurge values now rejected by webhook

    Values like maxUnavailable: '5' (a quoted integer string) are now rejected at admission. If your manifests or Helm charts set these as strings instead of integers, the webhook will block them after upgrade. Audit your CloneSet and related workload specs before upgrading to v1.9.0.

  • enhancementFix ImagePullJob high CPU before upgrading large clusters

    A cascading reconcile amplification bug was causing ImagePullJob controllers to spike CPU. If you've been seeing unexpected controller-manager CPU pressure, this is likely the cause. Upgrading to v1.9.0 should resolve it — no config changes needed.

  • enhancementCloneSet progressDeadlineSeconds and OnDelete strategy now available

    CloneSet now supports progressDeadlineSeconds to surface stalled rollouts, and an OnDelete update strategy for manual upgrade control. Teams doing canary or phased rollouts with CloneSet should evaluate both options — progressDeadlineSeconds in particular fills a gap that previously required external monitoring to detect stuck updates.

主な変更 (5)
  • ImagePullJob: fixes high CPU caused by cascading reconcile amplification, and adds node-side concurrency control — critical for clusters with large image pull workloads
  • SidecarSet: fixes panics on pod deletion and during null pointer access; adds ordered container injection and shareVolumeDevicePolicy support
  • CloneSet: adds progressDeadlineSeconds, OnDelete update strategy, and fixes lifecycle hook bugs when CloneSetEventHandlerOptimization is enabled
  • UnitedDeployment: new ReserveUnschedulablePods feature keeps unschedulable pods reserved instead of replaced
  • PodUnavailableBudget now protects Pod RESIZE actions, useful when using in-place vertical scaling
原文

Helm

Kubernetes Core2026年6月20日

日本語 準備中Helm v3.21.2 updates Kubernetes client libraries to match v1.36. This is a routine patch for client library alignment; upgrade to stay compatible with Kubernetes v1.36 clusters.

  • enhancementUpdate to v1.21.2 if you run Kubernetes v1.36

    Helm v3.21.2 updates its Kubernetes client libraries (client-go) to match the v1.36 API. If you already run Kubernetes v1.36 clusters, upgrade Helm to v3.21.2 to ensure full compatibility and avoid potential client-server version skew issues. Teams on earlier Kubernetes versions are not blocked — the upgrade is optional but recommended for consistency.

主な変更 (3)
  • Kubernetes client libraries bumped to v1.36
  • Helm 3.22.0 will be the final feature release for Helm 3
  • 3.21.3 will contain only bug fixes
原文

Lima

Kubernetes Core2026年6月19日

日本語 準備中Lima v2.1.3 is a security-focused patch release fixing two CVEs: a privilege escalation in QEMU VMs and multiple containerd CVEs bundled via nerdctl v2.3.3. Upgrade promptly.

  • securityPatch QEMU privilege escalation (CVE-2026-53657) immediately

    Any unprivileged user inside a QEMU-backed Lima VM could gain root inside that VM by abusing the guest agent socket. If you share Lima VMs among multiple users or run untrusted workloads, this is high priority. Upgrade to v2.1.3 and restart affected VMs.

  • securitycontainerd CVE batch via nerdctl v2.3.3 — upgrade required

    Five CVEs in containerd are fixed in the bundled nerdctl v2.3.3 (containerd v2.3.2). If your Lima instances run container workloads, the old containerd is exposed. Upgrade Lima and recreate or restart VMs to pick up the new nerdctl binary.

  • breakingcontainerd.user defaults changed for non-Linux guests

    Lima no longer sets containerd.user=true by default on non-Linux guests (macOS, Windows). If you relied on rootless containerd on those platforms without explicitly setting this, validate your VM config after upgrading and set containerd.user=true explicitly if needed.

主な変更 (5)
  • Fixes CVE-2026-53657: arbitrary guest users could escalate to root via the QEMU guest agent socket
  • nerdctl bumped to v2.3.3, which bundles containerd v2.3.2 fixing CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • Default template image switched from ubuntu-25.10 to ubuntu-26.04
  • containerd.user no longer defaults to true on non-Linux guests (behavior change for macOS/Windows VM workloads)
  • copytool: auto mode now falls back to scp when both source and destination are remote
原文

containerd

Kubernetes Core2026年6月18日

日本語 準備中containerd v2.1.9 is a security-focused patch release fixing 5 CVEs. Upgrade immediately if you run any containerd 2.1.x deployment.

  • securityPatch 5 CVEs — upgrade containerd 2.1.x now

    This release closes 5 CVEs in containerd itself. The advisories are not yet public so severity details are unavailable, but 5 CVEs in a single patch release is unusually high. Any team running containerd 2.1.x on production nodes should plan an upgrade this week. Check your Kubernetes node images, managed node groups, and any bare-metal CRI setups.

  • securityrunc updated to v1.3.6 — verify your runc version separately

    The bundled runc binary ships as v1.3.6, which likely carries its own fixes. If you manage runc independently (common on Kubernetes nodes), confirm you are also running v1.3.6 or later — upgrading containerd alone will not replace a separately installed runc binary.

  • enhancementCheckpoint restore hardened against malicious archive content

    Three CRI fixes tighten checkpoint/restore: unexpected archive content is now rejected, re-tagging of restored checkpoints is skipped, and CDI annotations are filtered. If your team uses container checkpointing (e.g., CRIU-based live migration), test restore workflows after upgrading to confirm behavior is unchanged.

主な変更 (5)
原文

containerd

Kubernetes Core2026年6月18日

日本語 準備中containerd 1.7.33 patches two containerd CVEs and one go-jose CVE, updates runc to v1.3.6, and bumps Go. Security-only motivation to upgrade.

  • securityUpgrade to 1.7.33 for three CVE fixes

    Two CVEs in containerd itself (CVE-2026-53488, CVE-2026-47262) and one in go-jose (CVE-2026-34986) are patched here. Full details are in the GitHub security advisories. If you are running containerd 1.7.x in production, upgrade now — there is no other reason to stay on an earlier 1.7.x patch.

  • securityReserved labels can no longer leak from image configs

    A fix was added to prevent reserved labels being propagated from image configs. If your environment relies on label-based access control or policy enforcement, verify that behavior is unchanged after upgrading and check the advisory for CVE-2026-47262 for scope.

  • enhancementrunc updated to v1.3.6

    The bundled runc binary moves from whatever 1.7.32 shipped to v1.3.6. If you manage runc separately, make sure your installed version is at least v1.3.6 to stay consistent with what containerd expects.

主な変更 (5)
  • CVE-2026-53488 and CVE-2026-47262 patched in containerd core (advisories on GitHub)
  • CVE-2026-34986 in go-jose fixed by bumping go-jose/v3 to v3.0.5
  • runc binary updated to v1.3.6
  • Go runtime updated to 1.26.4 / 1.25.11
  • User-database file reads now bounded in openBoundedUserFile (hardening fix)
原文

containerd

Kubernetes Core2026年6月18日

日本語 準備中containerd v2.0.10 patches two CVEs (CVE-2026-53488, CVE-2026-47262) and updates runc to v1.3.6. Upgrade promptly if running 2.0.x in production.

  • securityTwo CVEs fixed — upgrade now

    CVE-2026-53488 and CVE-2026-47262 are both addressed in this release. The advisories (GHSA-xhf5-7wjv-pqxp and GHSA-jpcc-p29g-p8mq) have full details on impact and scope. Any containerd 2.0.x node running in production should be upgraded to v2.0.10 before assessing whether you're actually exposed — these are runtime-level issues and the blast radius can be broad.

  • securityrunc bumped to v1.3.6

    The runc binary shipped with containerd is updated to v1.3.6, which itself carries fixes from v1.3.4 and v1.3.5. If you manage runc separately (e.g., installed via package manager), verify your runc version independently and align it with v1.3.6.

  • enhancementImage config reserved labels no longer propagate

    Labels reserved by containerd are now stripped from image configs before use. If you rely on any tooling that reads propagated reserved labels from running containers, test behavior after upgrading — this is a quiet behavioral change that may affect label-based automation.

主な変更 (5)
  • CVE-2026-53488 patched — see GHSA-xhf5-7wjv-pqxp for details
  • CVE-2026-47262 patched — see GHSA-jpcc-p29g-p8mq for details
  • runc updated to v1.3.6
  • Go runtime updated to 1.26.4/1.25.11
  • Bounded reads added for user-database file access; reserved labels no longer propagated from image configs
原文

containerd

Kubernetes Core2026年6月18日

日本語 準備中containerd 2.3.2 is a security-heavy patch release fixing 5 CVEs alongside runtime stability fixes. Upgrade promptly if you're running 2.3.x in production.

  • security5 CVEs fixed — upgrade 2.3.x nodes now

    Five CVEs are patched in this release, covering containerd's core. The advisories are not yet fully public, but the breadth (5 in one patch) suggests meaningful attack surface. Teams running containerd 2.3.x in any environment should upgrade to 2.3.2 without waiting for the next maintenance window. Check your node provisioning pipelines and update the containerd binary alongside runc (now v1.4.3).

  • enhancementRetry on transient network errors during image pull

    The resolver now retries on transient network errors when the last configured host is tried. This reduces pull failures in flaky network environments without requiring any config change. No action needed, but useful context if you've been seeing intermittent image pull errors under network instability.

  • enhancementSlow container creation no longer causes RPC timeout failures

    A lock in the runc shim was held across the runc create call, causing concurrent RPC timeouts and startup failures when container creation was slow. This is now fixed. If you've seen containers stuck or failing to start under load, this patch likely addresses it.

主な変更 (5)
  • 5 CVEs patched (CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262) — full advisories on GitHub Security
  • runc updated to v1.4.3 and Go runtime bumped to 1.26.4
  • golang.org/x/crypto bumped from v0.49.0 to v0.53.0, along with other golang.org/x dependency updates
  • Fixed a data race in Windows shim log reads (deferredPipeConnection)
  • Fixed concurrent task RPC timeout causing container startup failures during slow container creation
原文

containerd

Kubernetes Core2026年6月18日

日本語 準備中containerd 2.2.5 is a security-heavy patch release fixing 5 CVEs, with runc bumped to v1.3.6 and Go updated to 1.26.4/1.25.11. Upgrade promptly if running 2.2.x.

  • securityPatch 5 CVEs — upgrade 2.2.x nodes now

    This release closes 5 CVEs in containerd itself. Details are in the linked security advisories. Any cluster running containerd 2.2.x should upgrade to 2.2.5. The runc bump to v1.3.6 may also carry its own fixes — check the runc release notes before rolling out.

  • securitygolang.org/x/crypto and net updated — relevant if you build custom plugins

    golang.org/x/crypto jumped from v0.45.0 to v0.53.0 and golang.org/x/net from v0.47.0 to v0.55.0. If you vendor containerd or build plugins against its libraries, re-vendor and rebuild. The crypto jump in particular covers several upstream security fixes across that range.

  • enhancementCheckpoint/restore is more reliable in this release

    Three separate CRI fixes land here: CDI annotations are now filtered on checkpoint restore, restored checkpoints are no longer incorrectly re-tagged, and the restore path is hardened against malformed archive content. If you use container checkpoint/restore in production, this release is worth prioritizing.

主な変更 (5)
  • 5 CVEs patched: CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
  • runc binary updated to v1.3.6
  • Go runtime updated to 1.26.4/1.25.11
  • golang.org/x/crypto bumped from v0.45.0 to v0.53.0 along with other x/ dependency updates
  • CRI checkpoint restore hardened: CDI annotation filtering, re-tagging fix, and robustness against unexpected archive content
原文

Argo

CI/CD & App Delivery2026年6月18日

日本語 準備中Argo CD 3.4.4 is a patch release focused on stability fixes for health checks, RBAC, diffs, and template rendering. Update if you run multi-namespace setups or use Dex authentication.

  • breakingRBAC regression fix for multi-namespace setups

    A prior release introduced a regression in RBAC enforcement for project-scoped resources in multi-namespace architectures. This patch restores correct behavior. If you use project-level RBAC restrictions across multiple namespaces, verify that access controls work as expected after upgrading, particularly around project-scoped resource visibility.

  • enhancementHealth check reliability improvement

    The PromotionStrategy health check was incorrectly reporting Progressing after no-op re-hydration, blocking deployments. This is now fixed. If you use PromotionStrategy with ArgoCD, upgrade to avoid stalled health states that require manual intervention to clear.

  • enhancementServer-side diff regression resolved

    A recent change broke server-side diffs on new objects, causing errors. This patch restores diff functionality. If you rely on server-side diffs in your deployment pipeline (especially for new resources), apply this update to restore normal diff behavior.

主な変更 (5)
  • Fixed PromotionStrategy health check regression that left resources stuck in Progressing state
  • Resolved RBAC regression affecting project-scoped resources in multi-namespace deployments
  • Fixed diff error on new objects in server-side diffs
  • Patched Dex password parsing to handle dollar signs correctly
  • Resolved cross-generator Values template resolution in ApplicationSet RenderGeneratorParams
原文

Argo

CI/CD & App Delivery2026年6月18日

日本語 準備中Argo CD v3.3.12 is a maintenance release fixing sync state tracking, cluster observer locking, configuration parsing, and git repository depth handling—no breaking changes.

  • securityDex authentication now handles special characters in passwords

    Dex password parsing previously failed if passwords contained dollar signs, potentially locking users out. If you use Dex for OIDC and recently added or updated passwords with special characters, upgrade to v3.3.12 immediately to restore access. Test Dex login after updating.

  • enhancementFix PromotionStrategy stuck state if using Argo Rollouts

    If you run Argo CD with Argo Rollouts and use PromotionStrategy, applications may have remained stuck in Progressing after configuration reloads even when nothing changed. Update to v3.3.12 to resolve this. Check your application health status post-upgrade to confirm recovery.

主な変更 (5)
  • PromotionStrategy health status no longer stuck in Progressing after no-op re-hydration
  • Cluster informer now protected by lock to prevent concurrent access issues
  • Dex password parsing fixed to handle dollar signs correctly
  • Git repository depth setting now honored in change detection and fetch operations
  • Live status excluded from normalization to improve accuracy
原文

Helm

Kubernetes Core2026年6月17日

日本語 準備中Helm v4.2.2 reverts a premature exit fix in WaitForDelete that was causing test failures. A one-line patch addressing a race condition in status observation.

  • breakingWaitForDelete race condition re-introduced—test suite hangs may return

    The patch that fixed a race condition in WaitForDelete (where the status observer canceled the watch too early) has been reverted in v4.2.2. If you run comprehensive Helm test suites or rely on WaitForDelete behavior, you may see intermittent hangs or timeouts again. Monitor test runs for flakiness after upgrading. A proper fix is likely incoming in a future patch—do not stay on v4.2.2 longer than necessary.

主な変更 (2)
  • Reverted the fix for early exit in WaitForDelete that was causing intermittent test failures when running full test suites
  • Race condition in status observer no longer cancels the watch prematurely
原文

Prometheus

Observability2026年6月17日

日本語 準備中Prometheus v3.5.4 is a security-focused patch: fixes a secret-exposure bug in STACKIT SD and bumps several Go/UI dependencies to patch known CVEs. Upgrade promptly.

  • securityRotate STACKIT SD credentials if you use that SD

    The /-/config endpoint was exposing STACKIT service discovery secrets in plaintext. If your Prometheus instance uses STACKIT SD and /-/config was reachable by anyone other than admins, assume those credentials are compromised and rotate them. Upgrade to v3.5.4 immediately, then restrict access to /-/config behind authentication.

  • securityUpgrade to patch three Go CVEs in golang.org/x/net and OpenTelemetry

    GO-2026-5026, GO-2026-4918, and GO-2026-4985 are addressed by bumping golang.org/x/net to v0.55.0 and OpenTelemetry to v1.43.0. If you run Prometheus exposed to untrusted network traffic, this upgrade should not wait for your next maintenance window.

  • enhancementghcr.io image publishing available as an alternative pull source

    Prometheus images are now also on ghcr.io. If your environment has rate-limit or access issues with Docker Hub, you can switch your image pull source to ghcr.io/prometheus/prometheus without waiting for a feature release.

主な変更 (4)
  • STACKIT SD leaked secrets in plaintext via /-/config endpoint (GHSA-39j6-789q-qxvh) — now fixed
  • golang.org/x/net and OpenTelemetry bumped to patch GO-2026-5026, GO-2026-4918, GO-2026-4985
  • UI dependencies (react-router-dom, vite, vitest, postcss) updated to patched versions
  • Container images now published to ghcr.io in addition to existing registries
原文

Strimzi

Networking & Messaging2026年6月17日

日本語 準備中Strimzi 1.0.1 patches two CVEs and disables cross-namespace Entity Operator watching by default. The v1-only CRD API requirement from 1.0.0 remains enforced — no v1beta2/v1beta1/v1alpha1.

  • securityPatch two CVEs — upgrade promptly

    CVE-2026-55225 and CVE-2026-55226 are fixed in 1.0.1. Details are in the Strimzi security advisories. Given both are fixed in the same patch release, treat this as a security-motivated upgrade and prioritize it over waiting for a convenient maintenance window.

  • breakingEnable cross-namespace watching explicitly if you use watchedNamespace

    If your Kafka CR's Entity Operator section has watchedNamespace set to a namespace different from the Kafka cluster's namespace, the Topic or User Operator will stop watching it after upgrading. Before or immediately after upgrading, set STRIMZI_ENTITY_OPERATOR_WATCHED_NAMESPACE_ENABLED=true in your Cluster Operator deployment. Check all Kafka CRs across namespaces — missing this will silently break topic/user reconciliation.

  • breakingComplete CRD migration to v1 before upgrading

    Strimzi 1.0.1 (like 1.0.0) only accepts v1 CRDs. If you skipped the migration step when moving to 1.0.0, or if you are upgrading from an older release directly, run the CRD conversion procedure documented in the Strimzi 1.0.1 deploying guide before applying the new operator manifests. Applying the operator without converted CRDs will cause reconciliation failures.

主な変更 (4)
  • All older CRD API versions (v1beta2, v1beta1, v1alpha1) are dropped — only v1 is supported. CRD conversion must be completed before upgrading.
  • Two CVEs patched: CVE-2026-55225 and CVE-2026-55226.
  • Entity Operator cross-namespace watching is now disabled by default. A new env var controls it: STRIMZI_ENTITY_OPERATOR_WATCHED_NAMESPACE_ENABLED.
  • Teams using watchedNamespace in the Entity Operator section of their Kafka CR (pointing to a different namespace) must explicitly re-enable the feature after upgrading.
原文

wasmCloud

Orchestration & Management2026年6月17日

日本語 準備中wasmCloud 2.4.0 adds autoscaling for WorkloadDeployments, expands architecture support (s390x), and improves the wash CLI and host plugin API. Mostly incremental improvements with some operational benefits.

  • enhancementEnable autoscaling for WorkloadDeployments if you manage variable-load services

    wasmCloud 2.4.0 adds autoscaling to WorkloadDeployments. If you currently run static replica counts and workload demand fluctuates (peak hours, batch processing windows, etc.), enable autoscaling to reduce manual scaling and idle cost. Review the autoscaling configuration in your Helm charts or YAML manifests and test thresholds in a staging environment before rolling to production.

  • enhancementUpdate wash CLI if you deploy on s390x or other non-x86 systems

    wash now builds for s390x-unknown-linux-gnu. If your infrastructure uses IBM mainframes or other s390x systems, you can now build and run wash natively instead of via emulation or workarounds. Fetch the new binary from the release assets and validate it works with your host setup.

  • enhancementReview container health check configuration to rely on NATS connectivity

    Container health checks now use NATS connectivity status rather than a separate probe. This simplifies failure detection: if the container loses NATS connection, it's marked unhealthy faster. Verify your health check thresholds and timeouts still work for your deployment, especially if you have high-latency or congested networks where NATS reconnection may take longer.

主な変更 (5)
  • Autoscaling support for WorkloadDeployments lets you scale workloads based on demand instead of manual sizing.
  • wash CLI now supports s390x-unknown-linux-gnu builds, expanding hardware platform coverage.
  • Host plugin API ergonomics improved via wash-runtime refactor, reducing friction for custom plugins.
  • Container health checks now use NATS connectivity status for more accurate failure detection.
  • Multiple subscription workloads support enables a single workload to receive from multiple topics.
原文

OpenFGA

Security2026年6月17日

日本語 準備中v1.18.0 patches two auth security bugs and fixes MySQL case-sensitivity. MySQL users must plan a maintenance window before upgrading — auto-migration will lock tuple/changelog tables.

  • securitySilent OIDC audience bypass — check your auth config before upgrading

    If authn.oidc.audience was previously omitted, any validly-signed token from your trusted issuer was accepted regardless of intended audience. After upgrading, OpenFGA will refuse to start without both issuer and audience set. Verify your deployment config has authn.oidc.audience explicitly set, or the service will not come up.

  • securityPreshared key timing side-channel fixed — no action needed if you rotate keys

    The prior map lookup for preshared key auth could reveal valid key bytes via timing differences. Now fixed with constant-time comparison. No immediate action required, but if this key has been exposed to untrusted network paths for a long time, rotating the preshared key is a reasonable precaution.

  • breakingMySQL users: do not auto-migrate on startup

    Migration 008 acquires a shared lock on tuple and changelog tables. On large datasets this can block Write operations for an extended period. Read the operator runbook at the collation_migrations.md guide, schedule a maintenance window, and run the migration manually rather than letting OpenFGA auto-migrate on startup.

主な変更 (4)
  • MySQL schema migration 008 changes collation to enforce case-sensitive identifier comparison; acquires a shared lock on tuple and changelog tables during migration
  • Preshared key auth now uses constant-time comparison, closing a timing side-channel that could leak information about valid key bytes
  • OIDC config validation tightened: OpenFGA now refuses to start if authn.oidc.issuer or authn.oidc.audience is missing, preventing silent JWT audience bypass
  • MySQL identifier comparison now matches Postgres and SQLite behavior (case-sensitive)
原文

Rook

Storage & Data2026年6月16日

日本語 準備中Rook v1.20.1 is a patch release focused on Ceph operator stability: Ceph CSI driver compatibility, OSD major-version handling, and CSI-addons disabled by default to reduce unexpected behavior.

  • breakingCSI-addons disabled by default — check cluster dependencies

    CSI-addons (snapshot, clone, and expansion features) are now disabled by default in v1.20.1. If your workloads rely on these features, you must explicitly enable them in the Ceph cluster spec or your RWX volume snapshots and clones will fail. Review helm values and operator configs to enable addons before upgrade if needed.

  • enhancementUse node labels for OSD device class assignment instead of manual mapping

    Instead of hardcoding device class assignment per node, you can now use Kubernetes node labels (like `disk-type: ssd`) to automatically classify OSDs. This simplifies scaling clusters with mixed hardware. Apply node labels, then reference them in the Ceph cluster spec to avoid per-node configuration drift.

  • enhancementOSD require-osd-release is now enforced after major Ceph upgrades

    After a major Ceph version upgrade (e.g., Quincy to Reef), Rook now sets `require-osd-release` automatically to prevent old OSDs from rejoining before the cluster is ready. Before upgrade, ensure all OSDs can be updated together; if you have pinned some OSDs to an older version, they will be blocked from joining until unpinned.

主な変更 (5)
  • Helm chart now includes Rook-compatible Ceph CSI driver values for easier integration
  • OSD require-osd-release is enforced after Ceph major upgrades to prevent version mismatch issues
  • CSI-addons disabled by default to prevent unintended feature activation
  • Node labels can now be used for OSD device class assignment, replacing manual configuration
  • Stale MDS and RGW pod disruption budgets are cleaned up automatically to avoid blocking cluster operations
原文

Backstage

CI/CD & App Delivery2026年6月16日

日本語 準備中v1.52.0 has three breaking changes (discovery API default, immediate stitching removed, BUI union types) alongside significant catalog PostgreSQL performance fixes and a batch of UX and reliability improvements.

  • breakingCheck discovery.endpoints and remove immediate stitching config

    Two breaking changes need attention before upgrading. First, if you use `discovery.endpoints` with internal-only string targets, convert them to object form with `target.internal` set to the internal URL and `target.external` set to a browser-reachable URL — otherwise the frontend will try to reach internal addresses directly. Second, remove `catalog.stitchingStrategy.mode: 'immediate'` from your config; it's now a no-op and will log deprecation warnings. Both changes are straightforward config edits.

  • breakingMigrate ComboboxProps and SelectProps extensions before upgrading

    `ComboboxProps` and `SelectProps` are now union types. If your codebase has interfaces that extend either type, they will fail to compile — switch them to type intersections. Also audit CSS selectors that target list content as a direct child of `.bui-SelectPopover`, as that structure changed. These are frontend component-layer changes with no runtime fallback.

  • enhancementCatalog query performance improvements for PostgreSQL — no action needed, just upgrade

    Several PostgreSQL-specific query planner fixes ship in this release: multi-column statistics on the search table, a dropped redundant index, tuned vacuum thresholds, and a split count/list query. If your catalog list views are slow with large entity counts, this upgrade is worth prioritizing. No config changes needed — the improvements apply automatically via migration. Teams on MySQL/SQLite won't see the same gains.

主な変更 (7)
  • Default discovery API in @backstage/plugin-app changed to FrontendHostDiscovery; internal-only string targets in discovery.endpoints must be migrated to object form
  • catalog.stitchingStrategy.mode: 'immediate' removed — configs still using it will be silently ignored with a warning
  • ComboboxProps and SelectProps changed to union types, breaking any interface that extended them directly
  • Catalog backend gets multiple PostgreSQL query planner fixes — extended statistics, dropped legacy index, split count query — targeting 10-40x slower list views
  • @backstage/connections experimental package added as a preview of the future integrations replacement; not for production use
  • Lazy-loading of react-syntax-highlighter and @dagrejs/dagre cuts ~10 MB from the initial module load of @backstage/core-components
  • Newly scaffolded apps now use Yarn 4.13.0 with npmMinimalAgeGate: 3d enabled as a supply-chain defense
原文

KubeVirt

Orchestration & Management2026年6月16日

日本語 準備中KubeVirt v1.8.4 is a patch release fixing a gRPC connection leak in virt-handler that caused memory growth, patching CVE-2026-35469 in spdystream, and adding missing metrics/alerts.

  • securityPatch CVE-2026-35469 by upgrading to v1.8.4

    The moby/spdystream dependency carried CVE-2026-35469 (GHSA-pc3f-x583-g7j2). If you're on any v1.8.x release before v1.8.4, upgrade now. Check your internal scanner results for this CVE to confirm exposure before and after the upgrade.

  • breakinggRPC connection leak fix may change virt-handler resource footprint

    The connection leak in GetLauncherClient caused unbounded memory and goroutine growth when multiple controllers raced on the same VMI. After upgrading, virt-handler memory usage should drop noticeably in clusters with high VMI churn. If you have memory-based alerts or resource limits tuned to the leaked baseline, revisit those thresholds post-upgrade.

  • enhancementNew metrics and alerts for virt components — update dashboards

    Missing metrics, recording rules, and alerts were added for virt components. Review what's new against your existing Prometheus/Alertmanager setup and add any new alerts to your runbooks. This is a good time to audit alert coverage gaps you may have been living with.

主な変更 (4)
  • CVE-2026-35469: moby/spdystream bumped from v0.5.0 to v0.5.1 to address GHSA-pc3f-x583-g7j2
  • Fixed gRPC connection leak in virt-handler's GetLauncherClient — caused unbounded memory growth, socket accumulation, and goroutine leaks under controller races
  • Added missing metrics, recording rules, and alerts for virt components
  • Node-labeller now uses --expand-cpu-features and --supported-cpu-features flags
原文

Cilium

Networking & Messaging2026年6月16日

日本語 準備中Cilium v1.19.5 is a bugfix-heavy patch release addressing policy enforcement bugs, Gateway API panics, and load-balancer correctness issues. No CVEs, but several fixes warrant attention before upgrading.

  • breakingMigrate away from `l2podAnnouncements.interface` Helm value before upgrading

    The `l2podAnnouncements.interface` Helm key was removed because it wrote a configmap entry the agent no longer reads, causing crash-loops when L2 pod announcements are enabled. Before upgrading, check your Helm values for this key and replace it with `l2podAnnouncements.interfacePattern`. Clusters using the old key will fail to start after the upgrade.

  • breakingCheck CiliumEgressGatewayPolicy if you use NamespaceSelector

    A bug caused the NamespaceSelector field in CiliumEgressGatewayPolicy to be silently corrupted, making those rules ineffective. After upgrading to 1.19.5, verify that egress policies with NamespaceSelector are actually being enforced — traffic that was previously leaking may now be blocked.

  • enhancementVerify ipBlock network policies if you rely on selectorless rules

    A bypass was fixed where wildcard namespace selectors could skip ipBlock rules without a pod selector. If you have CiliumNetworkPolicies using ipBlock without explicit namespace selectors, review them post-upgrade to confirm enforcement behavior matches your intent — the fix may change observed traffic patterns.

主な変更 (5)
  • Fixed wildcard namespace bypass for selectorless ipBlock rules — network policy was not enforced correctly in some cases
  • Removed defunct `l2podAnnouncements.interface` Helm value; clusters using it will crash-loop unless migrated to `interfacePattern`
  • Fixed CiliumEgressGatewayPolicy NamespaceSelector corruption that silently rendered egress policies ineffective
  • Fixed node connectivity disruption when ClusterIP/LoadBalancer VIPs overlapped with node-local IPs
  • Load-balancing backend internals refactored to handle thousands of services sharing a backend without performance degradation
原文

Cilium

Networking & Messaging2026年6月16日

日本語 準備中Cilium 1.18.11 is a patch release focused on stability, fixing memory leaks, socket handling crashes, and Gateway API routing bugs. No breaking changes; safe to adopt for teams running 1.18.x in production.

  • securityApply patch if you see agent crashes in socket handling

    Cilium 1.18.11 fixes a nil pointer dereference in filterAndDestroySockets that could crash the agent. If you have seen sudden agent pod restarts or panic logs mentioning socket filtering, upgrade promptly. This is a stability issue that affects 1.18.10 and earlier.

  • breakingVerify MTU settings on non-Cilium interfaces after upgrade

    1.18.11 changes MTU handling to skip interfaces not managed by Cilium. If your infrastructure depends on Cilium adjusting MTU on external interfaces (e.g., host-managed veth pairs), test this upgrade in a staging environment first. Mark interfaces with altname to ensure they are recognized as Cilium-owned; otherwise, MTU will not be modified.

  • enhancementAdopt if running Kubernetes Gateway API with TLS routes

    This patch fixes two distinct bugs in Gateway API support: weighted backend routing for TLSRoute passthrough and mixed listener handling. If you use Gateway API with TLS termination or passthrough, this upgrade eliminates silent routing failures. No configuration changes needed; test existing Gateway API resources in a staging cluster first.

主な変更 (5)
  • Fixed memory leak in StateDB watch channel hash map reuse for large transactions
  • Corrected weighted backend traffic splitting for TLSRoute passthrough listeners in Gateway API
  • Fixed nil pointer dereference in socket filtering code that could crash the agent
  • Fixed MTU change behavior to only affect Cilium-managed interfaces, skipping others
  • Improved troubleshoot commands to report more kvstore and clustermesh diagnostic data
原文

Cilium

Networking & Messaging2026年6月16日

日本語 準備中Cilium v1.17.17 is a patch release fixing CiliumNode retry logic in multipool, improving troubleshoot command output, and updating dependencies. Primarily maintenance-focused with no breaking changes.

  • enhancementTest multipool deployments after upgrade

    Cilium v1.17.17 fixes a retry mechanism for CiliumNode lookups that was causing intermittent failures in multipool setups. If you run multi-pool IP allocation (multiple resource pools per cluster), test pod scheduling and IP assignment post-upgrade to confirm the fix resolves any flapping you observed.

  • enhancementUse enhanced troubleshoot output for cluster diagnosis

    The troubleshoot kvstore and clustermesh commands now report more diagnostic details. When investigating kvstore or clustermesh connectivity issues, re-run these commands after upgrading—the richer output will likely surface root causes faster than before.

  • enhancementCheck Envoy proxy behavior after updating to v1.37.x

    The bundled Envoy proxy jumps to v1.37.x in this patch. Review Envoy release notes for v1.37.x for any behavioral changes in HTTP/2, load balancing, or observability that might affect your traffic patterns. No action required unless you rely on specific Envoy 1.36.x behavior.

主な変更 (4)
  • CiliumNode Get errors now retry correctly in multipool environments, fixing potential connectivity gaps
  • Troubleshoot kvstore and clustermesh commands report additional diagnostic information
  • Envoy proxy bumped to v1.37.x; Helm charts now support registry prefix override
  • Dependency updates: Go packages, Kubernetes utilities, and Ubuntu base image refreshed
原文

Flatcar Container Linux

Provisioning & Runtime2026年6月16日

日本語 準備中Flatcar stable-4593.2.3 ships Linux 6.12.93 with eight kernel CVE patches and adds NVMe/TCP support for NVMe-oF storage backends.

  • securityPatch eight kernel CVEs — update nodes now

    This release fixes eight Linux kernel CVEs. Details on severity are not yet in NVD for these 2026-prefixed IDs, but any kernel CVE batch warrants prompt node rotation. If you run Flatcar on bare metal or cloud VMs, schedule a node drain-and-replace cycle soon — do not wait for the next maintenance window if these IDs affect your kernel subsystems.

  • enhancementNVMe/TCP opens up NVMe-oF storage backends

    NVMe over Fabrics via TCP is now available in the kernel module set. If your storage team uses NVMe-oF targets (e.g., disaggregated storage arrays or SPDK-based backends), Flatcar nodes can now connect without a custom kernel build. Test in staging before relying on this in production — confirm the nvme-tcp module loads correctly on your target image.

主な変更 (3)
  • Eight Linux kernel CVEs patched (CVE-2026-46323, -46315, -46275, -46244, -46243, -46322, -46321, -46316)
  • Kernel updated to 6.12.93 (includes 6.12.92 changes)
  • NVMe/TCP support added, enabling NVMe over Fabrics storage connectivity
原文

Dapr

Orchestration & Management2026年6月16日

日本語 準備中Dapr v1.18.1 is a focused bug-fix release for the workflow engine, patching five issues including reminder leaks, permanent sidecar unavailability after config reload, and stuck workflows.

  • breakingHelm users: workflow concurrency limits were silently ignored before this release

    If you set globalMaxConcurrentWorkflowInvocations, globalMaxConcurrentActivityInvocations, or the per-name limit fields on a Configuration resource and installed via Helm, those limits were never enforced. After upgrading to 1.18.1 the CRD schema is correct and limits will actually take effect. Review your configured values before upgrading in production — limits that were previously ignored will now be applied, which could throttle throughput if the values are too conservative.

  • enhancementUpgrade if you run agentic or long-running loop workflows

    Three bugs in this release specifically affect workflows that loop via ContinueAsNew or repeatedly await the same external event name — patterns common in agentic workloads. The reminder leak accumulates garbage reminders over a workflow's lifetime; the ContinueAsNew deadlock causes indefinite hangs with no timeout or error. Both are fixed here. If you see workflows stuck in RUNNING or observe spurious wake-ups in loop workflows, upgrade to 1.18.1.

  • enhancementConfig hot-reload now works reliably for workflow sidecars

    Before this fix, any SIGHUP-triggered config reload on a sidecar hosting workflow workers could permanently break the sidecar — port 50001 stops accepting connections and the only recovery was a pod restart. This is now fixed. If your team uses config hot-reload in any workflow-hosting deployment, 1.18.1 should be treated as a required upgrade.

主な変更 (5)
  • Workflow timer reminders no longer leak when the same external event name is awaited multiple times in a loop
  • Config hot-reload (SIGHUP) no longer leaves workflow sidecars permanently stuck — streaming workers now close cleanly on shutdown
  • Sidecars no longer restart on Kubernetes operator resync events that carry no actual config change
  • Child workflow completions crossing a ContinueAsNew boundary no longer cause parent workflows to hang forever in RUNNING state
  • Helm chart CRD for Configuration now includes the workflow/activity concurrency limit fields introduced in v1.18.0
原文

Linkerd

Networking & Messaging2026年6月16日

日本語 準備中Linkerd edge-26.6.2 patches policy and profile validation bugs, tightens namespace restrictions on external workloads, and upgrades to Envoy proxy v2.357.0 with unified failure accrual tuning.

  • securityProfile validation now rejects nil configs

    The nil check in profile validation closes a path to crashes on malformed configs. No immediate action needed, but if your automation generates profiles programmatically, ensure they always have valid structure before applying them.

  • breakingNamespace-restricted external workloads may affect routing

    External workloads and endpoints now honor namespace boundaries. If you cross namespaces with external workloads in your Linkerd setup, verify routing still works after upgrade. Update any policies that rely on previous (unrestricted) cross-namespace access.

  • enhancementTune load balancing with unified failure accrual

    Unified failure accrual and response-penalty load biasing gives you finer control over how proxies handle slow or failing endpoints. Test this in a canary namespace first—adjust failure thresholds and penalty weights to match your SLOs. Check Linkerd docs for new policy knobs.

主な変更 (5)
  • Policy validation: removed inappropriate AuthN policy check; corrected typos in outbound index rules.
  • Profile validation: added nil check to prevent crashes during validation.
  • Namespace isolation: external workloads and endpoints now respect namespace boundaries to prevent cross-namespace leakage.
  • Load balancing: unified failure accrual and response-penalty biasing in policy engine.
  • Proxy upgrade: Envoy v2.357.0; Go 1.25.11 for build.
原文

Dapr

Orchestration & Management2026年6月15日

日本語 準備中Dapr 1.17.10 fixes a bug where resiliency retry policies with `matching` rules on pubsub publish operations were silently ignored, causing terminal errors to be retried unnecessarily. Teams using pubsub with resiliency retry configuration should upgrade to enforce intended retry behavior.

  • breakingRetry behavior change for pubsub publish errors

    If you have resiliency policies with `matching` rules targeting pubsub outbound retry, publish errors will now be classified correctly and non-retriable errors will stop retrying immediately instead of exhausting maxRetries. Verify your resiliency configuration expectations: terminal errors (e.g., 401 Unauthorized, 404 Not Found) will no longer consume retry attempts. If your application relied on the old behavior of always retrying publish, adjust your retry policy or remove the `matching` constraint.

  • enhancementEnforce resiliency policy intent for pubsub

    Upgrade to 1.17.10 if you've configured resiliency policies with explicit `matching` codes for pubsub publish — your configuration will now work as intended. This brings pubsub publish in line with service invocation, output bindings, and other operations that already respect retry `matching`. No code changes needed; the fix is transparent.

主な変更 (3)
  • Resiliency retry `matching` (httpStatusCodes/gRPCStatusCodes) is now respected on pubsub Publish and BulkPublish operations
  • Publish errors are now wrapped in resiliency.CodeError when they carry gRPC status, matching behavior in other policy runners
  • Terminal pubsub errors (invalid topic, unauthorized) now fail fast instead of retrying up to maxRetries
原文

Dapr

Orchestration & Management2026年6月15日

日本語 準備中Dapr 1.16.16 fixes two downgrade-specific bugs: Sentry certificate signing failures after a 1.18→1.16 rollback, and Helm StatefulSet storage conflicts when downgrading from 1.17/1.18.

  • breakingFollow specific Helm flags when downgrading to 1.16.16

    Use --reset-values and explicitly pass the original install values. Do NOT use --reuse-values — it carries over 1.17/1.18 chart defaults that are invalid in 1.16, including placement disseminateTimeout=8s (1.16 only accepts 1s–3s), which will cause placement to fail at startup. If you skipped deleting the scheduler StatefulSet before downgrading, you may still need to pass --set dapr_scheduler.cluster.storageSize=<current size> or delete the StatefulSet with --cascade=orphan.

  • breakingClusters downgraded from 1.18 to 1.16 need this patch to fix Sentry

    If you rolled back from Dapr 1.18 to any earlier 1.16.x release, Sentry is likely crashing on startup due to the Ed25519/ECDSA key type mismatch in the trust bundle. Upgrade to 1.16.16 to resolve it — no manual certificate rotation is required after upgrading.

主な変更 (4)
  • Sentry no longer crashes when the trust bundle was generated by a newer Dapr version using a different key type (Ed25519 vs ECDSA)
  • Certificate template no longer copies SignatureAlgorithm from the CSR; Go's x509 library now infers it from the issuer key
  • Helm chart backports the storageSize template helper that reads the live StatefulSet value, preventing immutable field conflicts on downgrade
  • Fresh installs fall back to .Values.cluster.storageSize (default 1Gi) as before
原文

Kubeflow

AI & ML2026年6月15日

日本語 準備中Kubeflow 26.03.1 is a large calendar release bundling upgrades across Pipelines, Kserve, Trainer, Notebooks, Dashboard, Istio, Knative, Dex, cert-manager, and oauth2-proxy, alongside a breaking rename of model-registry to hub and a relocation of model registry/catalog namespaces that operators must account for before upgrading.

  • breakingmodel-registry package renamed to hub

    The kubeflow/model-registry package has been renamed to kubeflow/hub. Update manifests, kustomizations, and any automation referencing the old package name.

  • breakingModel registry now deploys to user profile namespace

    Model registry deployments now land in the user's profile namespace instead of the shared default namespace. Review per-user access, RBAC, and any scripts that assumed a fixed default-namespace location.

  • breakingModel catalog moved to cluster-wide singleton

    The model catalog is now split out into the kubeflow namespace as a single cluster-wide instance rather than one per namespace. Check for per-namespace catalog customizations that would need consolidation.

  • enhancementModel registry with UI now on by default

    Model registry with its UI is now enabled by default. Clusters that previously left it off will get it running after upgrade unless explicitly disabled.

主な変更 (7)
  • Breaking: kubeflow/model-registry renamed to kubeflow/hub, with model registry relocated to per-user profile namespaces and the model catalog consolidated into a cluster-wide singleton in the kubeflow namespace
  • Model registry with UI is now enabled by default
  • Major component bumps: Kubeflow Pipelines 2.16.1, Kserve/Kserve Web App v0.18.0, Kubeflow Trainer v2.2.0, Notebooks v1.11.0 (Workspaces v2 at v2.0.0-alpha.3), Dashboard toward v2.0.0
  • Platform dependency updates: Istio 1.30.1 (hostUsers: false support), Knative 1.22.0 (new eventing security overlay), cert-manager 1.20.2 (overlay split from base), oauth2-proxy v7.15.2, Dex 2.45.1 (now 2 replicas, no sticky service)
  • CI/infra: PSS restricted and network policies added for optional knative-eventing, move to Kind 0.32+ and Kubernetes 1.36, dependabot with SHA-pinned Actions
  • Docs restructured with version-specific upgrade notes, including Kserve v0.16.x to v0.17.0 migration guidance
  • trivy scanning temporarily removed from CI, to be re-enabled later
原文

KServe

AI & ML2026年6月14日

日本語 準備中KServe v0.19.0 is a large release focused heavily on LLMInferenceService (LLMISvc) maturity: better observability, autoscaling, routing, and a migration path for llm-d v0.6 upgrades. Two CVEs are patched.

  • securityPatch two CVEs before upgrading or apply independently

    v0.19.0 patches a vLLM/Pillow CVE and pins azure-core>=1.38.0 for CVE-2026-21226. If you are running KServe with vLLM runtimes or azure-core dependencies, upgrade to v0.19.0 or manually apply the azure-core pin to your environment. Check your current Pillow version in custom server images as well.

  • breakingRouter splitter off-by-one fix changes traffic split behavior

    The pickupRoute random range had an off-by-one error. After upgrading, traffic percentages in InferenceService splitter configurations will be computed correctly, which means observed traffic distribution will shift if your weights were tuned around the buggy behavior. Verify split configurations in staging before rolling to production.

  • enhancementLLMISvc autoscaling and status visibility are now production-ready

    HPA/KEDA scaling conditions are now visible in LLMISvc status, and readiness transitions emit k8s events. If you are operating LLMInferenceService, add these conditions to your monitoring dashboards and alerting. The --scaling flag in kserve-install.sh simplifies enabling autoscaling during fresh installs.

主な変更 (7)
  • CVE fixes: vLLM setup and Pillow vulnerability patched; azure-core pinned to >=1.38.0 to address CVE-2026-21226
  • LLMInferenceService gets HPA/KEDA scaling status bubbled up to service conditions, autoscaling e2e tests, and a --scaling flag in kserve-install.sh
  • New LLMISvc observability: k8s events on readiness transitions, routing topology in status, workload references in status, ConfigNotFound condition surfaced
  • Dual-protocol (REST/gRPC) routing added for InferenceService Standard mode
  • Off-by-one bug fixed in the router splitter's pickupRoute random range — affects traffic splitting correctness
  • LocalModelCache support added for LLMInferenceService; NodeSelector fix for jobs to fix PVC access
  • Migration logic added for llm-d v0.6 component upgrades
原文

Helm

Kubernetes Core2026年6月12日

日本語 準備中Helm v4.2.1 fixes data races in concurrent operations, corrects output routing for command messages, and resolves version constraint parsing issues that caused false negatives.

  • breakingVerify output parsing in automation after upgrade

    Helm command success messages now correctly write to stdout instead of stderr. If your CI/CD pipelines, monitoring, or shell scripts redirect or filter Helm output by stream, they may behave unexpectedly. Check any grep, tee, or output capture logic that assumes helm writes to stderr. Most scripts should work unchanged, but streaming-dependent logic needs review.

  • enhancementUse version range constraints without workarounds

    Helm 4 previously rejected or warned about valid version range constraints like prerelease versions and missing spaces (e.g., 'v1.0.0||v1.1.0'). This is now fixed. If you've avoided version ranges or used pinned versions as a workaround, you can now adopt constraint-based version selection, which simplifies dependency management in large deployments.

  • enhancementUpgrade to get concurrent operation stability

    Multiple race conditions in concurrent goroutines (upgrade + rollback, install + uninstall on the same client, and WaitForDelete timing) are now fixed. Teams running high-concurrency Helm operations (e.g., multi-chart deployments, parallel reconciliation loops, or large test suites) should upgrade to eliminate intermittent failures. This is particularly important if you see flaky test results in your CI pipeline.

主な変更 (5)
  • Fixed data race in GetWaiterWithOptions when concurrent upgrade/rollback and install/uninstall operations target the same FailingKubeClient instance
  • Corrected helm command output routing: success messages now write to stdout instead of stderr
  • Fixed Helm 4 false negatives when parsing version range constraints (e.g., prerelease versions, missing spaces in || operator)
  • Patched WaitForDelete race condition where status observer canceled watches prematurely, causing intermittent test failures
  • Updated dependencies: cli-utils 1.2.1, controller-runtime 0.24.1, k8s 1.36.1, and golang.org/x/net v0.55.0 (GO-2026-5026)
原文

Helm

Kubernetes Core2026年6月12日

日本語 準備中Helm v3.21.1 fixes a nil pointer panic in template operations and updates dependencies. A straightforward patch for stability.

  • securityUpgrade for Go security patch GO-2026-5026

    golang.org/x/net was bumped to v0.55.0 to fix GO-2026-5026. This is a supply-chain dependency, not directly exposed in Helm's API. Upgrade if your security scanning flags net vulnerabilities. No action needed if you're just using Helm normally—the fix is built in.

  • breakingClientOnly template operations now error correctly instead of panicking

    Helm template commands executed without cluster access (ClientOnly mode) previously crashed with nil pointer panics. v3.21.1 returns proper template errors instead. If you have automation that catches panics, update error handling to expect typed template errors. Test your template workflows before production rollout.

  • enhancementRegistry credentials now persist through HTTP fallback

    Registry operations now keep credentials when falling back from HTTPS to plain HTTP, thanks to oras-go v2.6.1. If you use private registries with HTTP-only endpoints, this improves reliability. No configuration change needed; the fix is automatic.

主な変更 (3)
  • Fixed nil pointer panic in helm template when running in ClientOnly mode (no Kubernetes cluster)
  • Preserved registry credentials on plain-HTTP fallback via oras-go v2.6.1 update
  • Bumped Go to 1.26 and golang.org/x/net to v0.55.0 to address GO-2026-5026
原文

Kubernetes

Kubernetes Core2026年6月12日

日本語 準備中Kubernetes v1.36.2 is a patch release fixing critical bugs in Dynamic Resource Allocation (DRA) scheduler, CSI volume republishing, and endpoint controller, plus a Go 1.26.4 build update.

  • securityBinary non-UTF8 Secret data in container env vars now handled correctly

    Kubernetes 1.34+ had a regression where containers could not properly read environment variables set from Secret API objects containing binary non-UTF8 data. This is fixed in 1.36.2. If your workloads use non-text Secret data in environment variables, upgrade to prevent decode errors or silent failures.

  • breakingDRA device allocation bug affects multi-device workloads

    Kubernetes 1.36.0–1.36.1 has a scheduler bug that assigns mutually exclusive device partitions to multiple Pods when drivers use SharedCounters with multi-allocatable devices. This can cause workload failures, device conflicts, crashes, or data loss. If you use DRA with multi-allocatable devices (especially GPUs or custom accelerators with shared counters), upgrade to 1.36.2 immediately. Review recent Pod scheduling decisions for conflicts.

  • enhancementCSI volume republish failures no longer corrupt mount state

    Kubelet was incorrectly deleting CSI mount directories when periodic NodePublishVolume calls (triggered by requiresRepublish=true) failed, leaving pods with stale volume content. This is fixed in 1.36.2. If you run CSI drivers with requiresRepublish=true, this patch eliminates a data consistency risk—upgrade to prevent potential data issues on transient network or storage errors.

主な変更 (7)
  • Built with Go 1.26.4 for improved runtime stability
  • Fixed DRA scheduler bug that could assign mutually exclusive device partitions to multiple Pods, risking workload failures or data loss
  • Fixed kube-scheduler panic when DRA ResourceClaim with allocationMode: All selects shared counter devices
  • Fixed kubelet incorrectly deleting CSI mount directories on periodic NodePublishVolume errors, leaving stale volume content
  • Fixed regression where suspended Job spec modifications were rejected if JobSuspended condition was not yet set
  • Fixed endpoint controller panic on services with empty IPFamilies field
  • Fixed container environment variable handling for binary non-UTF8 data from Secrets
原文

Kubernetes

Kubernetes Core2026年6月12日

日本語 準備中Kubernetes v1.35.6 fixes critical issues in pod scheduling with multi-node claims, DRA device selection, CSI volume republishing, and endpoint handling; includes a Go runtime upgrade and performance improvements.

  • securitySecret binary data in environment variables now handled correctly

    A 1.34+ regression broke environment variable injection from Secrets containing non-UTF8 binary data (e.g., certificates, keys in base64-encoded Secrets). If you inject Secrets as env vars and those Secrets contain binary data, upgrade to v1.35.6. Test this quickly if you run database credentials or keys via Secrets—the bug may have silently broken injection.

  • breakingUpgrade Go runtime to 1.25.11 in your build pipeline

    Kubernetes v1.35.6 is built with Go 1.25.11. If you run custom controllers or operators on the same Go version, verify compatibility and rebuild. If your CI/CD locks Go versions, update your build configuration. This is standard but must be done; old Go versions may have security gaps you're inheriting.

  • enhancementDRA scheduling and CSI republishing now reliable for dynamic resource allocation

    Three bugs are fixed: (1) scheduler no longer panics on DRA ResourceClaim with AllocationMode All and shared counters; (2) pods using multi-node and per-node claims no longer deadlock in Pending; (3) kubelet no longer deletes CSI mount directories on transient NodePublishVolume errors, preventing stale volume data. If you use DRA (dynamic resource allocation) or CSI with republish enabled, this release eliminates previously deadlocking scenarios. Upgrade to clear stuck pods and prevent future hangs.

主な変更 (6)
  • Upgraded to Go 1.25.11 for runtime stability and security patches
  • Fixed pod scheduling deadlock when using both multi-node and per-node DRA claims
  • Fixed kube-scheduler panic with DRA ResourceClaim AllocationMode consuming shared counters
  • Fixed kubelet deleting CSI mount directories on periodic NodePublishVolume failures, causing stale volumes
  • Fixed endpoint controller panic on services with empty IPFamilies field (pre-dual-stack services)
  • Fixed environment variable handling for Secret objects containing binary non-UTF8 data
原文

Kubernetes

Kubernetes Core2026年6月12日

日本語 準備中Kubernetes v1.34.9 fixes volume handling in CSI mounts, binary secret data in containers, endpoint controller panics, and kubeadm certificate handling. Go 1.25.11 build improves runtime performance.

  • breakingUpgrade kubelet if running CSI drivers with requiresRepublish enabled

    A 1.34+ regression caused kubelet to delete CSI mount directories on republish failures, stranding pods with stale volume data. If you run CSI drivers with spec.requiresRepublish=true, upgrade immediately. Check your CSI driver specs and watch for failed republish attempts in kubelet logs before upgrading to confirm you hit this bug.

  • breakingTest binary Secret injection in container environment variables

    v1.34 broke environment variable parsing for containers referencing Secrets with binary (non-UTF8) data. If your workloads inject Secret data into environment variables, test them after upgrading. Check application startup logs for parsing errors; you may need to base64-encode binary Secret values instead.

  • enhancementUpdate Go runtime for performance and security

    v1.34.9 uses Go 1.25.11, which includes runtime optimizations and security patches. Upgrade when you next rotate your control plane and worker nodes. No code changes needed on your side, but the Go update may improve latency and reduce memory usage in your cluster.

主な変更 (5)
  • Kubernetes now built with Go 1.25.11 for improved performance and security patches
  • Fixed kubelet CSI mount directory deletion that left pods with stale volume contents after republish errors
  • Fixed panic in endpoint controller when processing services with empty IPFamilies field
  • Fixed regression in container environment variable parsing when values reference Secrets containing binary non-UTF8 data
  • Kubeadm certificate dry-run mode now correctly copies existing CA files
原文

Dapr

Orchestration & Management2026年6月11日

日本語 準備中Dapr 1.16.15 fixes a sentry crash that blocks all mTLS identity issuance when the issuer key is Ed25519 or RSA — directly relevant to anyone who downgraded from 1.18 or rotated their issuer key type.

  • breakingUpgrade to 1.16.15 if you downgraded from 1.18 or rotated your issuer key

    If your 1.16 control plane has an Ed25519 or RSA issuer key in the dapr-trust-bundle secret — which happens automatically after a 1.18 downgrade — dapr-sentry crash-loops and no new mTLS certificates are issued. Existing sidecars with unexpired certs keep working, but any pod restart or cert expiry will cause identity failures. Upgrade to 1.16.15 immediately. If you cannot upgrade right now, the only workaround is to replace the issuer key in dapr-trust-bundle with an ECDSA P-256 key.

主な変更 (5)
  • dapr-sentry crashes on startup with 'unsupported key type' when the trust bundle contains an Ed25519 or RSA issuer key
  • Root cause: dapr/kit's EncodePrivateKey only matched *ecdsa.PrivateKey and *ed25519.PrivateKey (pointer form), missing the value-type Ed25519 and RSA entirely
  • Fix: dapr/kit v0.16.3 now handles ed25519.PrivateKey (value), *rsa.PrivateKey, and *ecdsa.PrivateKey via PKCS#8 round-trip
  • Affects 1.16 clusters downgraded from 1.18, or any 1.16 deployment where the issuer key was manually rotated to Ed25519 or RSA
  • While sentry is crash-looping, sidecars with valid unexpired certs keep running, but any fresh start or cert rotation fails
原文

Falco

Security2026年6月11日

日本語 準備中Falco 0.44.1 adds BPF iterator control and fixes multiple BPF-related issues via a libs bump. Minimal release focused on stability for deployments using kernel-level tracing.

  • breakingUpdate libs and kernel driver together

    This release bumps libs to 0.25.4 and driver to 10.2.0+driver. If you pin kernel driver versions separately from Falco, ensure you update both in the same maintenance window. Mismatched versions can cause syscall capture failures or silent data loss.

  • enhancementControl BPF iterator behavior if you hit performance or compatibility issues

    Falco 0.44.1 introduces a config option to disable BPF iterators. If you run Falco on kernels with problematic BPF iterator implementations or see high CPU usage tied to iterator overhead, test disabling them. Check your Falco logs and metrics after upgrading to confirm the fix resolves any BPF-related instability you were seeing in 0.44.0.

主な変更 (3)
  • Add disabling option for BPF iterators in userspace Falco configuration
  • Bump libs to 0.25.4 and driver to 10.2.0+driver to resolve BPF iterator bugs
  • Support for both x86_64 and aarch64 packages across rpm, deb, and tgz formats
原文
← 新しい古い →
月別に見る