RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Flux

CI/CD & App Delivery2026年3月16日

日本語 準備中Flux v2.8.3 fixes a critical helm-controller regression that broke templating for charts containing YAML separators or embedded content.

  • breakingUpgrade immediately if using Helm charts with YAML separators

    The regression in v2.8.2 breaks templating for common chart patterns like multi-document YAML files and embedded scripts. Review your Helm deployments for failures and upgrade to v2.8.3 now. Follow the official upgrade procedure for Flux v2.7+ to avoid migration issues.

  • enhancementValidate Helm chart deployments after upgrade

    After upgrading, check that previously failing Helm releases now deploy successfully. Pay special attention to charts that embed certificates, scripts, or use multiple YAML documents. This fix restores functionality that may have silently failed in recent versions.

主な変更 (4)
  • Fixed helm-controller templating errors when charts contain '---' separators
  • Resolved issues with embedded scripts and CA certificates in ConfigMaps
  • Added target branch name functionality to CLI update operations
  • Updated toolkit components for improved compatibility
原文

Argo

CI/CD & App Delivery2026年3月16日

日本語 準備中Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.

  • securityVerify signed release assets

    All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.

  • breakingReview token refresh configurations

    The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.

  • enhancementUpgrade for ppc64le architecture support

    If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.

主な変更 (5)
  • Fixed token refresh threshold parsing errors affecting unrelated components
  • Added missing git-lfs installer checksum for ppc64le architecture support
  • Updated OpenTelemetry SDK dependencies for better observability
  • Enhanced documentation for cluster version changes and migration guidance
  • Maintained SLSA Level 3 compliance with signed container images and provenance
原文

KServe

AI & ML2026年3月13日

日本語 準備中v0.17.0 delivers substantial LLM-focused improvements with the new LLMInferenceService beta, enhanced storage parallelization, vLLM 0.15.1 upgrade, and important CVE fixes affecting production deployments.

  • securityApply critical CVE patches immediately

    This release addresses several high-impact CVEs including path traversal (storage-initializer), HTTP parser vulnerabilities (h11, starlette), and cryptography subgroup attacks. Update to v0.17.0 promptly, especially if you're using storage-initializer or external model downloads. Review your current CVE scanning results against the patched versions.

  • breakingPlan LLMInferenceService migration path

    The new LLMInferenceService CRD introduces a dedicated API for LLM workloads with different semantics than standard InferenceService. If you're running LLM models, evaluate migrating to this new resource type for better autoscaling, routing, and operational features. The CRD includes breaking changes in API structure.

  • enhancementLeverage parallel storage downloads for faster deployments

    Storage-initializer now downloads blobs in parallel from S3 and Azure, dramatically reducing model loading times for large models. This is particularly beneficial for LLM workloads. No configuration changes needed - the improvement is automatic upon upgrade.

主な変更 (5)
  • Introduced LLMInferenceService CRD with webhooks, autoscaling support, and comprehensive Gateway API integration
  • Added parallel blob downloads for S3 and Azure storage, significantly improving model loading performance
  • Upgraded vLLM runtime to 0.15.1 with enhanced startup probes and configuration flexibility
  • Fixed multiple CVEs including path traversal, HTTP parser vulnerabilities, and cryptography issues
  • Added OpenVINO model server runtime and predictive inference server for expanded model format support
原文

OpenFGA

Security2026年3月13日

日本語 準備中OpenFGA v1.12.0 improves operational reliability with automatic TLS certificate rotation, enhanced input validation, and critical race condition fixes.

  • securityUpgrade for Go stdlib vulnerability fixes

    This release addresses two Go standard library vulnerabilities (GO-2026-4603 and GO-2026-4601). Plan your upgrade to eliminate these security risks in production deployments.

  • enhancementConfigure gRPC message size limits

    Review your current message sizes and set appropriate limits using the new configuration option to prevent resource exhaustion attacks and improve system stability.

  • enhancementBenefit from automatic certificate rotation

    If you're using cert-manager or similar certificate rotation tools, this release eliminates connection failures during certificate updates. Test your certificate rotation process after upgrading to verify the improvement.

主な変更 (5)
  • gRPC message size limits now configurable for better resource control
  • HTTP gateway automatically handles TLS certificate rotation without connection failures
  • Tuple validation rejects unicode control characters and null bytes for security
  • Race condition in check reducers fixed to prevent non-deterministic execution
  • Cache metrics corrected to prevent indefinite upward drift on overwrites
原文

Longhorn

Storage & Data2026年3月13日

日本語 準備中Longhorn v1.11.1 delivers critical bug fixes including a major memory leak in instance manager pods and backup failures with S3-compatible storage, making it an urgent upgrade for v1.11.0 users.

  • securityBackup restore functionality compromised

    S3-compatible backup targets (Storj, GCS) were failing due to AWS SDK v2 authorization issues. Test your backup and restore workflows after upgrading, especially if using non-AWS S3 endpoints. Verify large backup transfers complete successfully.

  • breakingUrgent upgrade required for v1.11.0 users

    Users running v1.11.0 experiencing high memory usage in instance manager pods must upgrade immediately. The memory leak can cause cluster instability and pod evictions. Plan upgrade maintenance window and monitor memory usage during rollout.

  • enhancementImproved scheduling with topology awareness

    New CSI topology-aware nodeAffinity controls provide better volume placement. Review your storage class configurations to leverage allowedTopologies and strictTopology settings for multi-zone deployments and specific node scheduling requirements.

主な変更 (5)
  • Fixed critical memory leak in longhorn-instance-manager pods caused by proxy connection leaks
  • Resolved AWS SDK v2 compatibility issues causing backup failures to S3-compatible storage like Storj and GCS
  • Enhanced V2 Data Engine with improved fast replica rebuild and clone functionality
  • Added CSI topology-aware PV nodeAffinity control for better scheduling
  • Fixed storage double-counting that caused scheduling failures when multiple replicas exist on same node
原文

Strimzi

Networking & Messaging2026年3月12日

日本語 準備中Strimzi 0.45.2 is the final patch release for the 0.45.x branch, focusing on critical CVE fixes and Kafka 3.9.2 support while serving as the last version supporting ZooKeeper-based clusters.

  • securityApply patch immediately for CVE fixes

    This release addresses multiple high-priority CVEs in ZooKeeper, JWT libraries, and networking components. Upgrade to 0.45.2 immediately to patch these vulnerabilities, especially if you handle sensitive data or run internet-facing services.

  • breakingMigrate to KRaft before upgrading beyond 0.45.x

    This is your last chance to run ZooKeeper-based Kafka clusters in Strimzi. Plan your KRaft migration now since Strimzi 0.46+ will only support KRaft mode. Follow the official KRaft migration guide and test thoroughly in non-production first.

  • breakingHandle Kafka 3.9.2 annotation issue for future upgrades

    If you're using Kafka 3.9.2, upgrading to Strimzi 0.46-0.51 will require manually updating pod annotations. Save the provided kubectl command for when you upgrade: it updates the Kafka version annotation on pods to prevent operator failures.

主な変更 (5)
  • Final patch release for 0.45.x branch - no further patches will be released
  • Added support for Apache Kafka 3.9.2 with container image updates
  • Multiple CVE fixes including ZooKeeper CVE-2024-47554, Nimbus Jose JWT CVE-2025-53864, and GRPC Netty Shaded CVE-2025-55163
  • Last Strimzi version to support ZooKeeper-based Kafka clusters and MirrorMaker 1
  • Upgraded dependency versions: Vert.x 4.5.24, Netty 4.1.130.Final, Apache Log4J 2.25.3, Cruise Control 2.5.146
原文

Flux

CI/CD & App Delivery2026年3月12日

日本語 準備中Flux v2.8.2 delivers critical fixes for reconciliation loops, Azure Container Registry authentication, and includes a security patch for CVE-2026-27138. The release focuses on operational stability improvements.

  • securityApply CVE-2026-27138 patch immediately

    This release fixes a potential Denial of Service vulnerability during TLS handshakes. Schedule your upgrade to v2.8.2 as soon as possible, especially if your Flux installation handles external TLS connections or operates in environments with security compliance requirements.

  • enhancementEnable DefaultToRetryOnFailure for better HelmRelease reliability

    If you use CancelHealthCheckOnNewRevision and have experienced stuck HelmReleases, enable the new DefaultToRetryOnFailure feature gate. This prevents canceled releases without retry strategies from hanging indefinitely, improving deployment reliability.

  • enhancementVerify Azure Container Registry authentication after upgrade

    The ACR authentication scope fix may resolve intermittent authentication failures you've experienced with Azure registries. After upgrading, monitor your image pulls and source operations to confirm improved reliability with ACR repositories.

主な変更 (5)
  • Fixed unnecessary reconciliation requests when source objects are already processing the current revision
  • Resolved Helm template YAML separator bug by upgrading to Helm 4.1.3
  • Added DefaultToRetryOnFailure feature gate to prevent HelmReleases from getting stuck when canceled
  • Corrected Azure Container Registry authentication scope for proper access
  • Patched CVE-2026-27138 TLS handshake DoS vulnerability by building with Go 1.26.1
原文

Linkerd

Networking & Messaging2026年3月12日

日本語 準備中Linkerd edge-26.3.2 delivers routine dependency updates across Rust, Go, and Node.js components, plus a metrics improvement that prevents scraping from failed pods and completed jobs.

  • enhancementMonitor metrics collection improvements

    The update excludes failed pods and completed jobs from proxy metrics scraping, reducing noise in your monitoring data. Review your current metrics dashboards to see if you notice cleaner data patterns after upgrading, and consider adjusting any alerting thresholds that may have been accounting for this noise.

  • enhancementTest edge release in non-production first

    This edge release bundles many dependency updates at once. Deploy to staging environments first to validate that the combined changes don't introduce unexpected behavior in your specific workload patterns before rolling to production clusters.

主な変更 (4)
  • Updated proxy to v2.342.0 with latest improvements
  • Comprehensive dependency updates across Rust (pin-project-lite, ryu, anyhow), Go (gRPC, klog), and JavaScript (webpack, babel-loader) components
  • Enhanced metrics collection by excluding failed pods and completed jobs from proxy scraping
  • Upgraded Docker build actions to v4.0.0 and v7.0.0 for improved CI/CD workflows
原文

Helm

Kubernetes Core2026年3月12日

日本語 準備中Helm v3.20.1 fixes two critical bugs affecting chart value handling and OCI registry operations that could cause deployment failures.

  • enhancementUpgrade immediately for value handling fixes

    This patch resolves two bugs that could break chart deployments. The nil value preservation fix prevents unexpected behavior when overriding chart defaults, while the OCI tag+digest fix enables proper chart pulling from registries using both identifiers. Test your existing charts after upgrading to ensure value overrides work as expected.

  • enhancementVerify OCI chart references work properly

    If you use OCI registries with tag+digest references (like `registry/chart:v1.0@sha256:abc123`), this release fixes previous 'invalid byte' errors. Update your CI/CD pipelines to use this version before relying on tag+digest combinations for chart immutability.

主な変更 (4)
  • Fixed nil value preservation bug when charts have empty maps or no defaults for keys
  • Resolved OCI reference failures with tag+digest causing 'invalid byte' errors
  • Updated Kubernetes dependencies to latest versions
  • Added support for pulling charts from OCI indices
原文

Helm

Kubernetes Core2026年3月11日

日本語 準備中Helm v4.1.3 patches multiple critical bugs affecting OCI registries, dry-run operations, and value handling that were causing deployments to fail or behave unpredictably in production environments.

  • breakingUpdate OCI registry workflows immediately

    If you use OCI registries that store both container images and Helm charts under the same tag, upgrade now. The previous bug caused complete pull failures. Test your chart pulls after upgrading to ensure compatibility with your registry setup.

  • enhancementReview autoscaling upgrade timeouts

    Upgrades now properly wait for cluster autoscalers and rolling updates instead of failing prematurely. Review your deployment pipelines and consider reducing any artificial delays you added to work around this issue. Monitor initial upgrades closely to verify improved behavior.

  • enhancementValidate dry-run operations with generateName

    Server-side dry-run now correctly handles generateName fields. If you've been avoiding dry-run validation for resources using generateName, re-enable it in your CI/CD pipelines. This improves pre-deployment validation coverage.

主な変更 (5)
  • Fixed dry-run server mode not respecting generateName, causing validation issues
  • Resolved OCI registry failures when pulling charts from mixed container/chart repositories
  • Fixed nil value preservation preventing proper chart defaults overrides
  • Corrected FailedStatus handling that caused premature upgrade failures during autoscaling
  • Eliminated YAML corruption from template whitespace trimming after post-rendering
原文

Dragonfly

Storage & Data2026年3月11日

日本語 準備中Dragonfly v2.4.3 is a pure maintenance release focusing on dependency updates and security patches, with no functional changes for users.

  • securityApply routine security updates

    This patch release includes dependency updates that may contain security fixes. Update your Dragonfly deployments to v2.4.3 during your next maintenance window. The upgrade should be seamless with no breaking changes or configuration updates required.

  • enhancementImproved observability with OpenTelemetry updates

    The OpenTelemetry library updates from v0.63.0 to v0.67.0 provide better tracing capabilities. If you're using distributed tracing with Dragonfly, you may see improved trace collection and reduced overhead after upgrading.

主な変更 (5)
  • Updated OpenTelemetry libraries from v0.63.0 to v0.67.0 for improved observability
  • Upgraded Docker actions to v4.0.0 for GitHub CI/CD workflows
  • Bumped Golang system dependencies including oauth2 and sys packages
  • Updated d7y.io/api to v2.2.24 for latest API compatibility
  • Refreshed GitHub Actions dependencies for stale issue management
原文

Backstage

CI/CD & App Delivery2026年3月11日

日本語 準備中Backstage v1.48.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

KubeEdge

Provisioning & Runtime2026年3月11日

日本語 準備中KubeEdge v1.23 ships a major edge DB refactor (Beego → GORM), node query optimization to cut edge-cloud bandwidth, device anomaly detection in CRDs, and solid Windows EdgeCore improvements.

  • breakingUpdate all Device status reads to use the new DeviceStatus CRD

    Device status has been extracted from the Device CRD into a standalone DeviceStatus CRD. The release says backward compatibility is maintained for the CRD schema itself, but any code, scripts, or automation that reads device status directly from the Device object will silently miss updates after the upgrade. Audit your operators, dashboards, and GitOps pipelines before upgrading — reroute status reads to the new DeviceStatus CRD.

  • enhancementValidate edge DB behavior after the Beego-to-GORM migration

    The entire edge database layer has been rewritten. GORM replaces Beego ORM and all DB operations are now funneled through a single MetaManager entry point. This is a lower-risk change but still a deep internal refactor. Run your existing edge workloads against a staging environment on v1.23 before rolling to production — watch for any edge cases in MetaManager behavior, especially around reconnect and offline-mode scenarios.

  • enhancementTake advantage of local node query optimization for large deployments

    If you're running dozens or hundreds of edge nodes, the shift from remote CloudCore node queries to local edge DB lookups should noticeably reduce your edge-cloud tunnel bandwidth. No configuration change is required — CloudCore automatically syncs node updates to the edge DB. Still worth monitoring your edge-cloud channel metrics post-upgrade to confirm the improvement in your specific topology.

主な変更 (6)
  • Edge DB refactored from Beego ORM to GORM with a unified MetaManager entry point — lighter binary, cleaner code path
  • Node queries now served from local edge DB instead of remote CloudCore calls, reducing edge-cloud channel pressure at scale
  • Device anomaly detection is now configurable in Device CRD pushMethod and pluggable at the mapper level
  • Device CRD status split into a separate DeviceStatus CRD — existing consumers must update their queries
  • Windows EdgeCore improvements: named pipe DMI, version-aware keadm upgrade, and log file redirection for service mode
  • Vendored Kubernetes bumped to v1.32.10
原文

Envoy

Networking & Messaging2026年3月11日

日本語 準備中Envoy v1.37.1 is a critical security patch addressing five CVEs including crash vulnerabilities and RBAC bypasses. Teams running production Envoy should prioritize immediate updates.

  • securityApply critical CVE fixes immediately

    Five CVEs fixed including crash conditions in rate limiting and IPv6 handling, plus an RBAC bypass. Test your deployment in staging first, then schedule emergency maintenance to update production clusters within 24-48 hours.

  • enhancementReview OAuth2 and ext_authz configurations

    If you use OAuth2 refresh tokens, verify host header behavior works correctly after the fix. For ext_authz users, check that error handling now properly respects your status_on_error settings and denied response headers reach clients as expected.

  • enhancementValidate ext_proc filter chains

    Multiple ext_proc filters in a chain now work correctly. If you previously avoided chaining due to bugs, test this functionality in your development environment to simplify complex processing pipelines.

主な変更 (5)
  • Fixed five security vulnerabilities including rate limit crash, multivalue header RBAC bypass, and IPv6 address crash
  • Resolved OAuth2 host header rewriting issue affecting refresh token requests
  • Enhanced ext_proc filter to support multiple filters in chain configuration
  • Improved ext_authz error handling for 5xx responses and proper header propagation
  • Introduced extended ABI forward compatibility for dynamic modules
原文

Envoy

Networking & Messaging2026年3月11日

日本語 準備中Envoy v1.36.5 delivers critical security patches addressing five CVEs including crash vulnerabilities in rate limiting, RBAC bypass issues, and memory corruption bugs that require immediate upgrading.

  • securityUpgrade immediately for critical crash fixes

    Multiple CVEs can cause Envoy crashes or memory corruption. The rate limiting crash (CVE-2026-26330) and IPv6 address handling bug (CVE-2026-26310) pose immediate availability risks. Schedule emergency maintenance windows to deploy this patch, especially if you use rate limiting or handle IPv6 traffic.

  • securityReview RBAC policies for multivalue header bypass

    CVE-2026-26308 allowed bypassing RBAC rules through multivalue headers. After upgrading, audit your RBAC configurations to ensure they weren't exploited and verify that header-based access controls work as expected in your environment.

  • enhancementTest OAuth2 workflows after host rewriting fix

    The OAuth2 refresh bug fix changes how host headers are handled during authentication flows. If you use Envoy for OAuth2 with custom host rewriting rules, test your authentication workflows thoroughly after upgrading to ensure tokens refresh correctly.

主な変更 (5)
  • Five CVE fixes covering rate limit crashes, RBAC multivalue header bypass, IPv6 address handling crashes, JSON string corruption, and HTTP decode method blocking
  • OAuth2 refresh request bug fix preventing host rewriting from overriding original Host values
  • Migration from internal googleurl to open source Google GURL library
  • Kafka test binary updated to version 3.9.2
  • Docker base image security updates
原文

Envoy

Networking & Messaging2026年3月10日

日本語 準備中Envoy v1.35.9 delivers critical security patches for four CVEs affecting RBAC, IPv6 handling, JSON processing, and HTTP decoding, plus OAuth2 host rewriting fixes.

  • securityUpgrade immediately for critical security fixes

    Four CVEs fixed in this release could lead to authentication bypass, crashes, and memory corruption. Schedule immediate deployment especially if using RBAC policies, IPv6 networking, JSON processing, or experiencing downstream connection resets. Test thoroughly in staging first as security fixes can affect request handling behavior.

  • enhancementValidate OAuth2 host rewriting behavior

    OAuth2 refresh requests now correctly preserve original Host headers instead of being overridden. If your setup relies on custom host rewriting for OAuth2 flows, verify that authentication still works as expected after upgrading. This change improves compliance with OAuth2 specifications.

主な変更 (5)
  • Four CVE fixes addressing RBAC multivalue header bypass, IPv6 crash, JSON corruption, and HTTP decode blocking issues
  • OAuth2 refresh requests now preserve original Host header values during host rewriting
  • Migration from internal googleurl to open GitHub repository (google/gurl)
  • Kafka test binary updated to version 3.9.2
  • Docker base images refreshed to latest versions
原文

containerd

Kubernetes Core2026年3月10日

日本語 準備中containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

主な変更 (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
原文

Envoy

Networking & Messaging2026年3月10日

日本語 準備中Critical security patch addressing four CVEs including RBAC bypass, IPv6 crash, memory corruption, and HTTP decode vulnerabilities that require immediate upgrade.

  • securityUpgrade immediately for RBAC bypass fix

    CVE-2026-26308 allows attackers to bypass RBAC policies using multivalue headers. This directly impacts access control security. Schedule emergency maintenance to upgrade all Envoy instances, especially those using RBAC for authorization.

  • securityPatch IPv6 crash vulnerability in production

    CVE-2026-26310 causes crashes when processing scoped IPv6 addresses, leading to service disruption. If you handle IPv6 traffic or run dual-stack configurations, prioritize this upgrade to prevent potential DoS attacks.

  • securityAddress JSON processing memory corruption

    CVE-2026-26309 corrupts string null terminators during JSON processing, potentially leading to memory corruption or information disclosure. Update immediately if your services process JSON payloads through Envoy.

主な変更 (5)
  • Fixed CVE-2026-26308 multivalue header bypass in RBAC that could allow unauthorized access
  • Resolved CVE-2026-26310 crash vulnerability when processing scoped IPv6 addresses
  • Patched CVE-2026-26309 off-by-one memory write bug in JSON processing
  • Fixed CVE-2026-26311 HTTP decode method vulnerability after downstream resets
  • Corrected OAuth2 refresh request host rewriting behavior
原文

Istio

Networking & Messaging2026年3月10日

日本語 準備中Istio 1.29.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Istio

Networking & Messaging2026年3月10日

日本語 準備中Istio 1.28.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Istio

Networking & Messaging2026年3月10日

日本語 準備中Istio 1.27.8 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

cert-manager

Security2026年3月10日

日本語 準備中cert-manager v1.20.0 introduces Gateway API ListenerSet support, Azure Private DNS integration, and promotes OtherNames to Beta, while fixing several ACME and DNS-related bugs.

  • securityUpdate for DNS DoS vulnerability fix

    A moderate security issue allowed attackers to cause controller denial-of-service through malformed DNS responses. Update immediately if your cert-manager controllers are exposed to untrusted DNS servers or networks where DNS traffic could be manipulated.

  • breakingContainer UID/GID changes affect security contexts

    Default container user changed from UID 1000 to 65532, and group from GID 0 to 65532. Review your pod security policies, security contexts, and file permissions if you've hardcoded these values or rely on root group access.

  • enhancementEnable Azure Private DNS for internal certificate management

    New Azure Private DNS support allows DNS-01 challenges for private zones. Configure your Azure DNS issuer with private zone settings to manage certificates for internal services without exposing DNS records publicly.

主な変更 (5)
  • Gateway API ListenerSet resource support with experimental feature gate
  • Azure Private DNS zones support for DNS-01 challenges
  • OtherNames feature promoted to Beta and enabled by default
  • Network policy configuration flags across all containers
  • Enhanced Venafi provider with custom fields annotation support
原文

Harbor

Storage & Data2026年3月10日

日本語 準備中Harbor v2.13.5 focuses on security improvements with stricter bearer token validation and removes sensitive configuration data from audit logs.

  • securityBearer token security enforcement requires review

    Harbor now rejects bearer tokens issued before project creation, which could break existing integrations using older tokens. Audit your CI/CD pipelines and automation scripts that authenticate with Harbor to ensure they regenerate tokens after this upgrade.

  • enhancementAudit log cleanup improves security posture

    Configuration payloads are no longer logged in audit trails, reducing exposure of sensitive settings. Review your log monitoring and compliance processes to ensure they still capture necessary security events without relying on configuration data in logs.

  • enhancementUpdated Trivy brings latest vulnerability definitions

    Trivy v0.69.3 includes newer vulnerability databases and detection rules. Schedule a rescan of your container images to identify any newly discovered vulnerabilities that weren't caught in previous scans.

主な変更 (5)
  • Removed payload from configuration audit logs to prevent sensitive data exposure
  • Enhanced bearer token security by rejecting tokens issued before project creation
  • Updated Trivy scanner to v0.69.3 and adapter to v0.35.1 for latest vulnerability detection
  • Upgraded Go runtime and base container images for security patches
  • Fixed CI pipeline compatibility with newer Docker versions
原文

Harbor

Storage & Data2026年3月10日

日本語 準備中Harbor v2.14.3 delivers critical security fixes for bearer token validation and updates Trivy scanner to version 0.69.3, focusing on hardening authentication mechanisms and keeping vulnerability detection current.

  • securityUpdate immediately for bearer token fix

    This release patches a security flaw where Harbor accepted bearer tokens issued before project creation. Deploy v2.14.3 immediately if you use token-based authentication, as this could allow unauthorized access to projects.

  • enhancementBenefit from updated Trivy scanning

    Trivy v0.69.3 includes the latest vulnerability database and detection capabilities. Schedule a rescan of your critical images after upgrading to catch newly discovered vulnerabilities that older versions missed.

  • enhancementReview audit log configurations

    Sensitive payload data has been removed from configuration audit logs to prevent credential exposure. Verify your log monitoring tools still capture the security events you need after this change.

主な変更 (5)
  • Bearer token security fix preventing acceptance of tokens issued before project creation
  • Trivy vulnerability scanner updated to v0.69.3 with adapter v0.35.1
  • Configuration audit log no longer includes sensitive payload data
  • Base image refresh and Go dependency updates for improved security posture
  • GitHub Actions workflows migrated to ubuntu-latest runners
原文

Dapr

Orchestration & Management2026年3月9日

日本語 準備中Dapr 1.17.1 fixes critical runtime issues including WASM component registration failures on production architectures and workflow cleanup problems.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components were completely broken on production architectures in v1.16.0-v1.17.0. Applications using these components failed to start. Test your WASM components after upgrading to confirm they register and function correctly.

  • enhancementExpect placement service performance improvements

    Large clusters with many non-actor sidecars will see reduced placement overhead. Monitor placement service metrics and actor invocation latency—you should observe fewer lock cycles and improved performance, especially during sidecar restarts.

  • enhancementReview workflow cleanup configurations

    Previously stalled workflows that became unstalled can now be properly cleaned up. Verify your state retention policies are working as expected and check for any workflow instances that should have been purged but weren't.

主な変更 (4)
  • WASM binding and middleware components now register properly on amd64/arm64/arm architectures after filename build constraint fix
  • Previously stalled workflows can now be cleaned up by state retention policies and purge APIs
  • Placement service no longer triggers unnecessary dissemination cycles for sidecars without actor types
  • Bulk subscription timers properly reset after early dispatch due to message count limits
原文

Argo

CI/CD & App Delivery2026年3月9日

日本語 準備中Argo CD v3.3.3 delivers targeted bug fixes for CNPG actions, hook annotations, and resource health checks, maintaining stability without introducing breaking changes.

  • enhancementUpdate CNPG Integration Configuration

    Teams using CloudNativePG with Argo CD should verify their suspend/resume actions work correctly after upgrading. The annotation fix ensures proper CNPG cluster lifecycle management through Argo CD workflows.

  • enhancementReview Multi-Hook Resource Configurations

    Applications using multiple PreDelete or PostDelete hooks with comma-separated annotations will now execute properly. Audit existing applications with complex hook configurations to ensure expected behavior.

  • enhancementValidate Cross-Namespace Resource Dependencies

    Complex applications with multi-level cross-namespace dependencies involving cluster-scoped resources should now traverse correctly. Test existing applications that previously showed incomplete resource trees or sync issues.

主な変更 (6)
  • Fixed CNPG suspend/resume actions using correct annotations
  • Corrected comma-separated hook annotations for PreDelete/PostDelete hooks
  • Improved resource health checks with proper drySha handling
  • Fixed standard resource icon display issues in UI
  • Enhanced kubeversion consistency with Helm version 3.3
  • Resolved multi-level cross-namespace hierarchy traversal for cluster-scoped resources
原文

NATS

Networking & Messaging2026年3月9日

日本語 準備中NATS v2.12.5 delivers critical security fixes for leafnode compression and WebSocket vulnerabilities, while significantly improving JetStream backup performance and fixing numerous stability issues in filestore operations.

  • securityUpdate immediately for critical CVE fixes

    Two CVEs affect production systems: CVE-2026-29785 impacts leafnode compression and CVE-2026-27889 affects WebSocket connections. Both can cause server panics or security issues. Schedule maintenance window to update all NATS servers running v2.12.4 or earlier.

  • enhancementOptimize JetStream backups for unreliable networks

    Stream backups now support window_size parameter for better flow control. If you run backups over slow or unreliable connections, configure appropriate window sizes to improve throughput and reduce backup failures. Test with your network conditions to find optimal values.

  • enhancementReview async metalayer snapshot behavior

    Metalayer snapshots now run asynchronously to prevent blocking JS API operations. This improves performance but changes timing behavior. If your applications rely on synchronous snapshot timing, set `meta_compact_sync: true` in jetstream config block to restore previous behavior.

主な変更 (5)
  • Critical CVE fixes for leafnode compression (CVE-2026-29785) and WebSocket parsing (CVE-2026-27889)
  • JetStream stream backups now use improved flow control with window_size parameter for better performance over unreliable connections
  • Metalayer snapshots now run asynchronously by default to prevent blocking JS API operations
  • Fixed multiple filestore race conditions and lock leaks that could cause crashes or performance degradation
  • WebSocket handling improvements including proper frame validation and compression state management
原文

NATS

Networking & Messaging2026年3月9日

日本語 準備中NATS v2.11.14 is a critical security release addressing two CVEs affecting leafnode compression and WebSocket features, plus multiple stability fixes to prevent server panics.

  • securityUpgrade immediately if using leafnodes or WebSockets

    Two CVEs affect common NATS configurations. If you have leafnode compression or WebSocket features enabled, upgrade immediately to prevent potential security exploits. Check your configuration for 'compression: enabled' in leafnode sections or 'websocket' listeners.

  • securityReview WebSocket Origin validation settings

    Origin header validation now includes protocol scheme verification. Audit your WebSocket client configurations to ensure they specify correct origins (including https:// or wss:// schemes) to avoid connection rejections after upgrade.

  • enhancementMonitor for reduced panic incidents

    This release fixes multiple panic conditions in leafnode and WebSocket handling. After upgrading, you should see fewer unexpected server restarts. Review your monitoring dashboards to confirm improved stability metrics.

主な変更 (5)
  • Fixes CVE-2026-29785 affecting leafnode compression systems
  • Fixes CVE-2026-27889 affecting WebSocket-enabled deployments
  • Prevents server panics from leafnode subscription race conditions
  • Improves WebSocket frame parsing and payload validation
  • Enhanced Origin header validation for WebSocket security
原文

Open Policy Agent (OPA)

Security2026年3月9日

日本語 準備中OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

主な変更 (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
原文

Dragonfly

Storage & Data2026年3月9日

日本語 準備中Dragonfly v2.4.2 adds gRPC rate limiting and scheduler cluster configuration while improving security scores and fixing several configuration inconsistencies.

  • breakingUpdate configuration files for renamed fields

    The rateLimit configuration field was renamed to bandwidthLimit. Check your configuration files and update any references to use the new naming convention to avoid configuration parsing errors.

  • enhancementConfigure gRPC rate limiting for production

    The new gRPC rate limiting feature protects against resource exhaustion attacks. Review your current traffic patterns and configure appropriate rate limits in your Dragonfly configuration to prevent service degradation under load.

  • enhancementLeverage new scheduler cluster management

    With scheduler cluster de-registration support, implement proper cluster lifecycle management in your deployment scripts. This helps maintain cluster health and prevents orphaned schedulers from affecting performance.

主な変更 (5)
  • Added gRPC server request rate limiting to prevent resource exhaustion
  • Introduced scheduler cluster de-registration support for better cluster management
  • Added seed client configuration support for improved peer connectivity
  • Refactored configuration naming for consistency (rateLimit → bandwidthLimit)
  • Upgraded API to v2.2.14 and multiple dependency updates for security patches
原文

Jaeger

Observability2026年3月7日

日本語 準備中Jaeger v2.16.0 introduces breaking changes requiring Go 1.25.7 and removes legacy remote sampling format, while improving ClickHouse performance and adding Elasticsearch health-check timeout support.

  • breakingUpgrade Go to version 1.25.7 before deploying

    The Go version requirement is now enforced across the codebase. Teams running older Go versions will face build failures. Update your build environments, CI/CD pipelines, and container images to Go 1.25.7 before attempting to upgrade or build from source.

  • breakingUpdate remote sampling client integrations

    The legacy remote sampling endpoint response format has been removed. If your applications use custom remote sampling clients that depend on the old format, they will break. Review your sampling configuration and update any custom clients to use the current format before upgrading.

  • enhancementEnable Elasticsearch health-check timeout for improved startup reliability

    New startup health-check timeout configuration prevents indefinite blocking during Elasticsearch connectivity issues. Add health-check timeout settings to your Elasticsearch storage configuration to improve service startup reliability in environments with intermittent connectivity.

主な変更 (6)
  • Go version requirement bumped to 1.25.7 across the entire codebase
  • Legacy remote sampling endpoint response format removed
  • ClickHouse query performance improved through findtraceids restructuring
  • Elasticsearch health-check timeout support added for startup reliability
  • HTTP servers migrated from Gorilla Mux to stdlib http.ServeMux
  • UI fixes for critical path visualization and v3 API client base path handling
原文

Dapr

Orchestration & Management2026年3月6日

日本語 準備中Dapr 1.16.10 fixes critical WASM component registration failures on production architectures and patches security vulnerabilities in Go runtime and OpenTelemetry SDK.

  • securityUpdate for Go runtime and OpenTelemetry security patches

    This release patches vulnerabilities in Go 1.25.7 (crypto/tls, go command) and OpenTelemetry SDK (arbitrary code execution via PATH hijacking). Plan your upgrade within your normal security patching window, prioritizing environments where PATH manipulation is possible.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components have been completely broken on production architectures since v1.16.0. If you're using these components and running v1.16.0-v1.16.9, upgrade to v1.16.10 immediately as your WASM components are silently failing to register.

  • enhancementReview Pulsar Avro message publishing for early error detection

    Pulsar PubSub now validates JSON messages against Avro schemas before publishing, catching malformed data earlier. Test your Pulsar publishing workflows to ensure they handle the new validation errors gracefully and benefit from faster codec performance.

主な変更 (5)
  • Fixed WASM binding and middleware components failing to register on amd64/arm64 architectures due to filename collision with Go build constraints
  • Added Pulsar PubSub Avro schema validation to prevent malformed messages from being published without error feedback
  • Updated Go runtime to 1.25.7 with security fixes for crypto/tls and go command vulnerabilities
  • Upgraded OpenTelemetry SDK to v1.40.0 to patch arbitrary code execution vulnerability (GO-2026-4394)
  • Cached Pulsar Avro codec compilation at initialization for improved publishing performance
原文

CoreDNS

Kubernetes Core2026年3月6日

日本語 準備中CoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.

  • securityUpgrade immediately to fix ACL bypass vulnerability

    This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.

  • securityUpdate Go runtime for multiple CVE fixes

    The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.

  • enhancementDeploy proxyproto plugin for load balancer environments

    If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.

主な変更 (5)
  • New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
  • Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
  • Strengthened loop detection security by switching to cryptographically secure randomness
  • Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
  • Enhanced DNS logging with response Type and Class metadata for better observability
原文

Linkerd

Networking & Messaging2026年3月6日

日本語 準備中Edge release focused on dependency maintenance with proxy updates to v2.341.0. Notable addition of extra attributes in Kubernetes SubjectAccessReview for improved authorization handling.

  • enhancementEvaluate SubjectAccessReview improvements for RBAC

    The addition of extra attributes in SubjectAccessReview requests improves authorization evaluation accuracy. Review your current RBAC policies to ensure they handle additional context properly, especially if using custom authorization webhooks or detailed access controls.

  • enhancementMonitor proxy performance after v2.341.0 update

    Three proxy version bumps indicate active development. Test performance and connection handling in your environment, particularly if you've experienced proxy-related issues. The incremental updates suggest gradual improvements rather than breaking changes.

主な変更 (5)
  • Proxy updated from v2.339.0 to v2.341.0 across multiple incremental releases
  • Major dependency updates including Tokio v1.50.0, axum v0.8.8, and Kubernetes client libraries
  • SubjectAccessReview now includes extra attributes for enhanced RBAC evaluation
  • Security framework updates including aws-lc-rs to v1.16.0 and rustls-pki-types to v1.14.0
  • GitHub Actions updated to newer versions (upload-artifact v7.0.0, download-artifact v8.0.0)
原文

Strimzi

Networking & Messaging2026年3月6日

日本語 準備中Strimzi 0.51.0 addresses critical CVEs and drops support for Kubernetes versions below 1.30, while adding Kafka 4.2.0 support and moving ServerSideApplyPhase1 to beta.

  • securityUpgrade immediately for CVE fixes

    Two critical CVEs affect Strimzi 0.47.0 and newer versions. Review the security advisories to determine if your deployment is affected, then upgrade to 0.50.1 or 0.51.0 immediately. The CVE numbers appear to be from 2026, which suggests these may be embargoed vulnerabilities with delayed disclosure.

  • breakingVerify Kubernetes compatibility before upgrading

    Strimzi 0.51.0 requires Kubernetes 1.30+. Check your cluster version before upgrading. If running Kubernetes 1.27-1.29, upgrade your cluster first or remain on an earlier Strimzi version until cluster upgrade is possible.

  • breakingUpdate CRDs and KafkaUser resources during upgrade

    Manually upgrade CRDs as part of the Strimzi upgrade process, especially when using Helm. For clusters upgrading from 0.48 or older, update KafkaUser resources to use the new `.spec.authorization.acls[]operations` field format before upgrading.

主な変更 (5)
  • Critical security fixes for CVE-2026-27133 and CVE-2026-27134 requiring immediate upgrade from versions 0.47.0+
  • Kubernetes 1.30+ now required - versions 1.27, 1.28, and 1.29 no longer supported
  • Added Kafka 4.2.0 support while removing Kafka 4.0.0 and 4.0.1 compatibility
  • Per-listener Kafka configuration options now available for connection limits and reauthentication settings
  • Ingress listener type deprecated due to upstream project archival in March 2026
原文

Keycloak

Security2026年3月5日

日本語 準備中Keycloak 26.5.5 is a critical security release addressing four SAML broker vulnerabilities that could allow authentication bypass and unauthorized access in production environments.

  • securityImmediate upgrade required for SAML users

    These CVEs affect SAML broker configurations and could allow authentication bypass. If you use SAML identity providers or broker functionality, schedule emergency maintenance to upgrade immediately. Review your disabled SAML providers to ensure they're properly secured post-upgrade.

  • securityAudit SAML broker configurations

    After upgrading, verify that disabled SAML identity providers are truly disabled and cannot process authentication requests. Check your IdP-initiated login flows and ensure encryption is working correctly for SAML assertions.

主な変更 (4)
  • Fixed CVE-2026-3047: SAML broker authentication bypass when disabled client completes IdP-initiated login
  • Resolved CVE-2026-3009: Improper enforcement of disabled identity providers in broker service
  • Patched CVE-2026-2603: Disabled SAML IdPs incorrectly allowing IdP-initiated logins
  • Secured CVE-2026-2092: SAML broker encrypted assertion injection vulnerability
原文

Backstage

CI/CD & App Delivery2026年3月4日

日本語 準備中Backstage v1.48.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

SPIRE

Security2026年3月3日

日本語 準備中SPIRE v1.14.2 addresses two critical security vulnerabilities in server node attestor plugins that could enable SSRF attacks and CPU exhaustion.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two security issues affect SPIRE servers using http_challenge or x509pop attestors. The SSRF vulnerability lets attackers redirect servers to unauthorized domains and extract response data. The x509pop DoS vulnerability allows CPU exhaustion attacks. Update to v1.14.2 immediately if you use either attestor plugin.

主な変更 (3)
  • Fixed SSRF vulnerability in http_challenge server node attestor plugin
  • Resolved CPU exhaustion issue in x509pop server node attestor plugin
  • Both vulnerabilities could be exploited by attackers during node attestation
原文

SPIRE

Security2026年3月3日

日本語 準備中SPIRE v1.13.4 fixes two critical security vulnerabilities in node attestor plugins that could enable SSRF attacks and CPU exhaustion attacks.

  • securityUpgrade immediately to patch critical vulnerabilities

    Two severe vulnerabilities affect node attestation security. The http_challenge plugin SSRF flaw lets attackers probe internal networks, while the x509pop plugin can be exploited for DoS attacks. Update to v1.13.4 immediately and audit recent attestation logs for suspicious activity.

  • securityReview node attestor plugin configurations

    If you use http_challenge or x509pop attestor plugins, verify your network security controls and consider temporary restrictions on node attestation endpoints until the upgrade is complete. Monitor CPU usage patterns during attestation processes.

主な変更 (4)
  • Fixed SSRF vulnerability in http_challenge server node attestor allowing attackers to redirect server requests
  • Patched CPU exhaustion attack vector in x509pop server node attestor plugin
  • Both vulnerabilities affected the node attestation process used for workload identity verification
  • Security fixes address potential unauthorized access and denial of service scenarios
原文

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

主な変更 (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
原文
← 新しい古い →