RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.33.10 fixes a critical bug in high performance hook IRQ SMP affinity handling that could cause IRQ interference between containers during late deletion scenarios.

  • securityUpdate immediately if using high performance hooks

    This bug could cause performance degradation or unexpected behavior in high-performance workloads by interfering with IRQ handling between containers. If you're running CRI-O with high performance hooks enabled (typically in HPC or latency-sensitive environments), upgrade immediately to prevent IRQ SMP affinity corruption that occurs during container cleanup.

主な変更 (3)
  • Fixed IRQ SMP affinity bug in high performance hooks preventing cross-container interference
  • Resolved issue where late container deletion affected IRQ settings of other containers
  • No dependency changes or new features in this patch release
原文

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.

  • breakingTest systemd workloads with user namespaces

    A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.

  • enhancementConfigure TLS settings for production security

    New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.

  • enhancementVerify runc v1.4.0 compatibility

    The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.

主な変更 (5)
  • Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
  • Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
  • Improved OCI artifact pull fallback logic to skip retries on retryable errors
  • Updated runc to v1.4.0 and multiple dependency versions for stability
  • Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options
原文

CRI-O

Kubernetes Core2026年3月3日

日本語 準備中CRI-O v1.34.6 is a maintenance release with no functional changes, dependencies, or fixes - purely a version bump from v1.34.5.

  • enhancementSkip this release unless forced by policy

    This release contains zero functional changes. Stay on v1.34.5 unless your organization requires running the latest patch version for compliance reasons. Save the upgrade effort for a release that brings actual improvements.

主な変更 (4)
  • No code changes between v1.34.5 and v1.34.6
  • No dependency updates or removals
  • Release artifacts available for amd64, arm64, ppc64le, and s390x architectures
  • SBOM and signature verification support maintained
原文

Karmada

Orchestration & Management2026年2月28日

日本語 準備中Karmada v1.16.3 is a bug-fix release addressing critical issues including controller race conditions, scheduler panics, and graceful eviction problems that could impact multi-cluster operations stability.

  • breakingUpgrade immediately to prevent scheduler crashes

    The scheduler panic fix for divide-by-zero errors is critical for production stability. Schedule maintenance window to upgrade karmada-scheduler component, especially if you use spread constraints across clusters with dynamic availability.

  • enhancementReview CronFederatedHPA configurations after upgrade

    The fix for CronFederatedHPA scale-up failures when replicas field is missing improves reliability. After upgrading, verify your CronFederatedHPA resources are scaling correctly from zero replicas, and consider adding explicit replicas fields to avoid edge cases.

  • enhancementMonitor graceful eviction behaviors post-upgrade

    The graceful eviction timing fix prevents GracePeriodSeconds leakage between tasks. After upgrade, monitor your workload evictions to ensure they complete within expected timeframes and adjust grace periods if needed for improved resource cleanup.

主な変更 (5)
  • Fixed job status aggregator race condition causing error loops in controller manager
  • Resolved CronFederatedHPA scaling failures when replicas field is missing
  • Corrected graceful eviction task timing issues preventing proper resource cleanup
  • Fixed scheduler divide-by-zero panic when no valid clusters available for spread constraints
  • Improved backoff queue sorting to prevent priority inversion in scheduler operations
原文

Karmada

Orchestration & Management2026年2月28日

日本語 準備中Karmada v1.15.6 is a critical bug-fix release addressing race conditions, scheduler panics, and CronFederatedHPA failures that could impact production stability.

  • securityBase image security update included

    Alpine base image updated to 3.23.3 which may include security patches. Review your container scanning results after upgrade and update any custom images based on Karmada components.

  • breakingCritical scheduler stability fixes require immediate update

    The scheduler panic fix and backoff queue corrections address critical stability issues that could cause service disruptions. Plan immediate upgrade for production environments running multi-cluster workloads with spread constraints or high scheduling volumes.

  • enhancementCronFederatedHPA reliability improvements

    If using CronFederatedHPA for autoscaling, this release fixes scale-up failures when replicas field is missing. Update to ensure consistent autoscaling behavior across your federated deployments.

主な変更 (5)
  • Fixed job status aggregator race condition preventing error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Corrected graceful eviction task timing issues with GracePeriodSeconds
  • Fixed scheduler panic from divide-by-zero errors in spread constraints
  • Improved backoff queue sorting to prevent priority inversion issues
原文

Karmada

Orchestration & Management2026年2月28日

日本語 準備中Karmada v1.14.10 is a patch release focused on stability improvements, fixing critical race conditions in job status handling, scheduler panics, and graceful eviction timing issues.

  • enhancementUpgrade to improve operational stability

    This patch fixes several critical race conditions and panics that could affect workload scheduling and job management. Plan an upgrade during maintenance window to prevent potential scheduler crashes and job status inconsistencies in production clusters.

  • enhancementReview CronFederatedHPA configurations

    The fix for CronFederatedHPA scale-up from zero when replicas field is missing means previously broken auto-scaling configurations will now work correctly. Audit your CronFederatedHPA resources to ensure they behave as expected after upgrade.

主な変更 (6)
  • Fixed race condition in job status aggregator that could cause error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Fixed GracePeriodSeconds value leakage between eviction tasks
  • Corrected scheduler panic from divide-by-zero in spread constraint calculations
  • Fixed backoff queue sorting causing priority inversion in scheduler
  • Resolved resource quota plugin namespace issue in scheduler estimator
原文

Karmada

Orchestration & Management2026年2月28日

日本語 準備中Karmada v1.17.0 is a community-driven release with contributions from 30+ developers, focusing on stability improvements and feature enhancements for multi-cluster management.

  • enhancementPlan upgrade testing in staging environment

    With 30+ contributors and significant community activity, this release likely contains substantial improvements. Test the upgrade path in your staging clusters first, paying attention to controller behavior and resource propagation patterns before rolling out to production.

  • enhancementReview cluster scheduling policies

    Enhanced scheduling capabilities may offer new optimization opportunities for your workload distribution. Review your current PropagationPolicies and OverridePolicies to leverage potential new features for better resource utilization across clusters.

主な変更 (5)
  • Enhanced multi-cluster resource propagation and scheduling capabilities
  • Improved cluster federation management and workload distribution
  • Strengthened API compatibility and controller reliability
  • Extended observability and monitoring features for federated clusters
  • Performance optimizations for large-scale cluster deployments
原文

Dapr

Orchestration & Management2026年2月27日

日本語 準備中Dapr 1.17 focuses on production-ready workflows with versioning support, state retention policies, and 41% improved throughput, while stabilizing Bulk PubSub API and enhancing Placement service reliability.

  • enhancementImplement workflow versioning for production workflows

    If you run long-duration workflows in production, adopt the new versioning feature to safely deploy workflow updates. Use named versions for major changes and patching for minor updates. Plan migration strategy for existing workflows before upgrading to avoid replay issues.

  • enhancementConfigure workflow state retention policies

    Review your workflow storage growth patterns and configure retention policies to prevent unbounded state store growth. Set shorter retention for completed workflows and longer retention for failed workflows to balance storage costs with debugging needs.

  • enhancementUpgrade Placement service for better actor reliability

    The improved Placement service provides more reliable actor routing during deployments and scaling. Test your actor-based applications with frequent scaling scenarios to validate the improved convergence behavior after upgrading.

主な変更 (5)
  • Workflow versioning support with named versions and patching strategies for safe evolution of long-running workflows
  • State retention policies to control workflow history storage growth and manage terminal state cleanup
  • Placement service improvements with stricter three-stage updates and faster disconnect detection
  • Stabilized Bulk PubSub API for production use
  • New CLI commands for workflow and scheduler management operations
原文

Flux

CI/CD & App Delivery2026年2月27日

日本語 準備中Flux v2.8.1 is a patch release fixing critical issues with Git commit status notifications and StatefulSet health checks during Pod scheduling problems.

  • enhancementUpgrade to fix Git integration issues

    If you're experiencing missing Git commit status updates or notifications, upgrade to v2.8.1. The fix ensures proper Git webhook integration and status reporting for your GitOps workflows. Follow the official upgrade procedure for Flux v2.7+ to avoid disruption.

  • enhancementResolve StatefulSet monitoring problems

    Upgrade if you have StatefulSets that show incorrect health status when Pods are stuck in Pending state due to resource constraints or scheduling issues. This fix provides more accurate deployment status reporting, improving your observability during rollouts.

主な変更 (5)
  • Fixed Git commit status events being dropped for Kustomizations in notification-controller
  • Improved StatefulSet health checks when Pods are Pending/Unschedulable during rollouts
  • Updated kustomize-controller, notification-controller, and helm-controller components
  • Removed workarounds that are no longer needed for Flux 2.8
  • Updated fluxcd/pkg dependencies for better stability
原文

Vitess

Storage & Data2026年2月27日

日本語 準備中Security-focused release addressing two critical CVEs related to backup MANIFEST file vulnerabilities that could allow arbitrary command execution and path traversal attacks.

  • securityImmediate upgrade required for CVE-2026-27965 and CVE-2026-27969

    Two critical CVEs allow attackers with backup storage write access to execute arbitrary commands and perform path traversal attacks. Upgrade immediately to v22.0.4 and review backup storage access controls to ensure only trusted entities have write permissions.

  • securityAudit and secure backup storage access

    Since these vulnerabilities require write access to backup storage, review who has write permissions to your backup locations. Implement proper access controls and consider using immutable backup storage where possible to prevent tampering.

  • breakingUpdate VTTablet configuration if using MANIFEST-based decompressors

    External decompressor commands from MANIFEST files are ignored by default. If your restore process relies on this behavior, add the --external-decompressor-use-manifest flag to your VTTablet configuration, but understand this reintroduces security risks.

主な変更 (4)
  • External decompressor commands from backup MANIFEST files are no longer used by default
  • Path traversal attacks via MANIFEST file modifications are now prevented
  • New --external-decompressor-use-manifest flag added for explicit opt-in to MANIFEST-based decompressor
  • 37 merged pull requests with security-focused improvements
原文

Vitess

Storage & Data2026年2月27日

日本語 準備中Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

主な変更 (5)
  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements
原文

Kubernetes

Kubernetes Core2026年2月27日

日本語 準備中Kubernetes v1.35.2 is a patch release that provides stability and bug fixes for the v1.35 series, maintaining compatibility while addressing issues discovered in production environments.

  • enhancementPlan routine patch upgrade

    This is a standard patch release with stability fixes. Schedule upgrade during your next maintenance window using standard rolling update procedures. Test in non-production environments first, but expect minimal risk as this maintains full compatibility with v1.35.x.

  • enhancementUpdate container registry references

    Update your deployment manifests, Helm charts, and CI/CD pipelines to reference the new v1.35.2 container images. All images maintain the same registry.k8s.io paths with updated version tags.

主な変更 (5)
  • Patch release with bug fixes and stability improvements for v1.35 series
  • Updated container images available across all supported architectures (amd64, arm64, ppc64le, s390x)
  • Client, server, and node binaries updated with latest fixes
  • No breaking changes or major feature additions in this patch release
  • Maintained backward compatibility with existing v1.35.x deployments
原文

Kubernetes

Kubernetes Core2026年2月26日

日本語 準備中Kubernetes v1.32.13 is a patch release focused on bug fixes and security improvements for the stable v1.32 series, maintaining backward compatibility.

  • securityApply Security Patch Immediately

    This patch release likely includes critical security fixes. Schedule immediate upgrades for production clusters, especially if you're running earlier v1.32.x versions. Test in staging first, then roll out to production with standard maintenance windows.

  • enhancementUpdate Container Images and Binaries

    Pull the latest v1.32.13 container images and update node binaries across your infrastructure. This is a straightforward in-place upgrade that maintains API compatibility. Update your CI/CD pipelines to reference the new image tags.

  • enhancementVerify Multi-Architecture Support

    If running mixed-architecture clusters, ensure all architectures (amd64, arm64, ppc64le, s390x) are updated consistently. The manifest lists support automatic architecture selection, but verify your deployment automation handles this correctly.

主な変更 (5)
  • Patch release in the v1.32 stable series with bug fixes and security improvements
  • Updated container images available across all supported architectures (amd64, arm64, ppc64le, s390x)
  • Client, server, and node binaries updated for all supported platforms including Windows
  • Maintained API compatibility with existing v1.32.x deployments
  • Standard Kubernetes component updates (kube-apiserver, kube-controller-manager, kube-proxy, kubelet)
原文

Kubernetes

Kubernetes Core2026年2月26日

日本語 準備中Kubernetes v1.33.9 is a patch release providing critical bug fixes and stability improvements. This version maintains backward compatibility while addressing operational issues in the 1.33 branch.

  • enhancementSchedule routine patch upgrade

    This is a standard patch release containing bug fixes and stability improvements. Plan to upgrade from earlier 1.33.x versions during your next maintenance window. Test in non-production environments first and follow your standard rolling update procedures.

  • enhancementVerify multi-architecture support

    All container images now support manifest lists across amd64, arm64, ppc64le, and s390x architectures. If you're running mixed-architecture clusters, validate that your deployment tooling properly pulls the correct architecture-specific images.

主な変更 (5)
  • Patch release with critical bug fixes and stability improvements
  • Container images available for amd64, arm64, ppc64le, and s390x architectures
  • Client binaries available for multiple platforms including Windows ARM64 support
  • Server and node binaries updated with latest fixes
  • Maintained backward compatibility with existing 1.33.x deployments
原文

Kubernetes

Kubernetes Core2026年2月26日

日本語 準備中Kubernetes v1.34.5 is a patch release providing standard bug fixes and stability improvements for the 1.34 series, with no major feature changes or breaking modifications.

  • enhancementSchedule routine upgrade during maintenance window

    As a patch release, v1.34.5 contains stability and bug fixes that should be applied during your next scheduled maintenance window. Test in non-production environments first, then apply using your standard rolling upgrade procedures. No configuration changes or special migration steps are required.

  • enhancementUpdate container image tags in deployments

    Update your deployment manifests, Helm charts, and CI/CD pipelines to reference the new v1.34.5 container images. This is particularly important for clusters using specific version tags rather than floating tags to ensure you receive the latest stability fixes.

主な変更 (5)
  • Patch-level bug fixes and stability improvements for existing v1.34 features
  • Updated container images available across all supported architectures (amd64, arm64, ppc64le, s390x)
  • Standard binary releases for all major platforms including Darwin, Linux, and Windows
  • Maintenance release following typical Kubernetes patch release cadence
  • No breaking changes or deprecated feature removals in this patch version
原文

Open Policy Agent (OPA)

Security2026年2月26日

日本語 準備中OPA v1.14.0 delivers significant rule indexing improvements for variable assignments and 'x in {...}' expressions, along with H2C Unix domain socket support, enhanced testing output, and various performance optimizations.

  • enhancementOptimize policy performance with improved rule indexing

    The enhanced rule indexing for variable assignments and membership expressions will automatically improve performance for policies using patterns like 'x := input.role; x in {"admin", "user"}'. Review your existing policies to identify similar patterns that will benefit from this optimization without requiring code changes.

  • enhancementEnable H2C with Unix domain sockets for secure local communication

    If you're running OPA in containerized environments or need secure local IPC, use the new '--h2c' flag with Unix domain sockets. This reduces network overhead and improves security for local service-to-service communication patterns.

  • enhancementLeverage custom storage backend API for specialized use cases

    The new custom storage backend registration API enables integration with specialized storage systems. Evaluate if your current storage requirements could benefit from custom backends, particularly for high-performance or compliance-specific storage needs.

主な変更 (6)
  • Enhanced rule indexing for variable assignments and 'x in {...}' expressions improves query performance
  • Added H2C protocol support with Unix domain sockets for 'opa run' command
  • New line number display in test output for better debugging experience
  • Custom storage backend registration API for extensibility
  • Fixed race condition in plugin trigger management
  • Performance improvements in array unification and JSON patch operations
原文

Backstage

CI/CD & App Delivery2026年2月26日

日本語 準備中Backstage v1.48.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Prometheus

Observability2026年2月26日

日本語 準備中Prometheus 3.10.0 introduces distroless Docker images for enhanced security, new PromQL fill() functions for handling missing data, and numerous performance improvements across query execution and TSDB operations.

  • enhancementConsider migrating to distroless images for production

    The new distroless variant provides better security with minimal attack surface and uses proper nonroot UID/GID 65532. Plan migration by adjusting volume ownership and permissions - existing named volumes require ownership changes, and bind mounts may need permission adjustments depending on your setup.

  • enhancementOptimize memory usage with stale series compaction

    Enable experimental `stale_series_compaction_threshold` in your config to automatically compact stale series in memory, reducing memory footprint for workloads with high series churn. Start with conservative thresholds and monitor memory usage patterns.

  • enhancementBuild custom Prometheus binaries for resource optimization

    Use new build tags `remove_all_sd` and `enable_<sd name>_sd` to create smaller Prometheus binaries containing only the service discovery mechanisms you actually use, reducing binary size and potential attack surface in containerized deployments.

主な変更 (5)
  • Distroless Docker image variant with UID/GID 65532 for enhanced security alongside existing busybox image
  • New PromQL fill(), fill_left(), and fill_right() functions for handling missing series with default values
  • Experimental stale series compaction in memory with configurable threshold for TSDB optimization
  • Independent alertmanager sendloops with new alertmanager dimension in notification metrics
  • Modular service discovery build system allowing custom Prometheus builds with only required SDs
原文

OpenKruise

CI/CD & App Delivery2026年2月25日

日本語 準備中OpenKruise v1.8.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

OpenKruise

CI/CD & App Delivery2026年2月25日

日本語 準備中OpenKruise v1.7.5 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Rook

Storage & Data2026年2月24日

日本語 準備中Rook v1.19.2 is a patch release focusing on bug fixes and feature additions for the Ceph operator, including CSI image updates, OSD multipath fixes, and NVMeOF improvements.

  • enhancementUpdate CSI components for bug fixes

    The Ceph CSI update to 3.16.1 includes important fixes. Plan a maintenance window to update your Rook deployment to benefit from improved storage provisioning reliability and bug fixes.

  • enhancementReview multipath storage configurations

    If you're using multipath devices with metadata devices for OSDs, this release fixes deployment issues. Test the upgrade in a staging environment first, as OSD changes can be sensitive.

  • enhancementLeverage new ObjectStore user management

    The new OpMask field in ObjectStoreUserSpec allows more granular permission control for RADOS Gateway users. Review your current user configurations and consider implementing more restrictive permissions where appropriate.

主な変更 (5)
  • Updated Ceph CSI image to version 3.16.1 for improved storage provisioning
  • Fixed OSD deployment issues on multipath devices with metadata devices
  • Added OpMask field to ObjectStoreUserSpec for better RADOS Gateway user management
  • Enhanced NVMeOF gateway with topology spread constraints and expansion field updates
  • Improved log collection capabilities for Ceph exporter pods
原文

cert-manager

Security2026年2月24日

日本語 準備中cert-manager v1.18.6 is a security-focused patch release primarily addressing CVE-2025-68121 through Go runtime updates, with no functional changes to certificate management operations.

  • securityUpdate to v1.18.6 for CVE-2025-68121 mitigation

    This release patches a Go runtime vulnerability (CVE-2025-68121) that could affect cert-manager security. Plan an upgrade within your standard maintenance window as this is a drop-in replacement with no configuration changes required. Test in non-production first, then roll out to production clusters.

  • enhancementSafe upgrade path for production workloads

    Since this is purely a security patch with no functional changes, you can upgrade with confidence using your existing deployment processes. The update maintains full backward compatibility, making it suitable for automated deployment pipelines without additional testing overhead.

主な変更 (4)
  • Go runtime updated to address CVE-2025-68121 security vulnerability
  • CVE-2026-24051 left unpatched as it only affects macOS environments
  • Pure security patch with no breaking changes or new features
  • Maintains compatibility with existing cert-manager deployments
原文

cert-manager

Security2026年2月24日

日本語 準備中cert-manager v1.19.4 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Flux

CI/CD & App Delivery2026年2月24日

日本語 準備中Flux v2.8.0 introduces major GitOps capabilities including Helm v4 support, enhanced observability, faster recovery times, and improved notification features while removing deprecated APIs.

  • breakingMigrate from deprecated v1beta2/v2beta2 APIs immediately

    Deprecated APIs have been removed from CRDs. Follow the official upgrade procedure for Flux v2.7+ to migrate your resources to supported API versions before upgrading to v2.8.0.

  • enhancementEnable faster application recovery with new feature gate

    Activate the CancelHealthCheckOnNewRevision feature gate on your Kustomizations and HelmReleases to reduce recovery time during application failures by canceling health checks when new revisions are detected.

  • enhancementImplement automated PR notifications for GitOps workflows

    Configure Pull Request commenting in your notification providers to enable direct feedback from Flux deployments to development teams, improving visibility and collaboration in GitOps workflows.

主な変更 (5)
  • Helm v4 support with server-side apply and improved health checking
  • Reduced mean time to recovery with CancelHealthCheckOnNewRevision feature gate
  • Pull Request commenting support in notification providers
  • Custom SSA apply stages for ordered resource deployment in kustomize-controller
  • Automatic GitHub App installation ID lookup from repository owners
原文

Knative

Orchestration & Management2026年2月24日

日本語 準備中Knative knative-v1.20.3 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Knative

Orchestration & Management2026年2月24日

日本語 準備中Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

主な変更 (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
原文

Backstage

CI/CD & App Delivery2026年2月24日

日本語 準備中Backstage v1.48.2 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

OpenFGA

Security2026年2月23日

日本語 準備中OpenFGA v1.11.6 enables ListObjects pipeline by default for improved performance, upgrades gRPC client implementation, and addresses a security vulnerability in grpc-health-probe.

  • securityUpdate deployments using grpc-health-probe

    If you're using grpc-health-probe for health checks in your OpenFGA deployments, this update addresses CVE-2025-68121. Verify your container images are pulling the latest version and update any standalone grpc-health-probe binaries.

  • enhancementTest ListObjects pipeline performance impact

    The new default ListObjects pipeline algorithm may improve query performance but could change behavior. Monitor your ListObjects API calls after upgrade and be prepared to disable it with listObjects-pipeline-enabled=false if you encounter issues.

主な変更 (3)
  • ListObjects pipeline algorithm now enabled by default (can be disabled with listObjects-pipeline-enabled=false)
  • Migration from deprecated grpc.DialContext to grpc.NewClient for grpc-gateway client
  • Security update: grpc-health-probe bumped to v0.4.45 addressing CVE-2025-68121
原文

KubeVirt

Orchestration & Management2026年2月23日

日本語 準備中KubeVirt v1.7.1 delivers critical bug fixes for live migration, volume hotplug, and VM snapshot operations, along with enhanced monitoring capabilities and security updates.

  • securityUpdate to address crypto dependency vulnerabilities

    The golang.org/x/crypto dependency was updated to v0.45.0 to address security issues. Plan to upgrade to this version promptly, especially in production environments handling sensitive workloads, as crypto vulnerabilities can impact VM security.

  • breakingCross-vendor migration prevention requires review

    KubeVirt now prevents cross-vendor migrations which may break existing workflows that rely on migrating VMs between different infrastructure providers. Review your migration patterns and ensure source and target nodes use compatible virtualization stacks.

  • enhancementImplement ephemeral volume monitoring

    New metrics and alerts for ephemeral hotplug volumes improve operational visibility. Configure your monitoring stack to capture these new metrics and set up alerts for ephemeral volume lifecycle events to better track resource usage and potential issues.

主な変更 (6)
  • Fixed decentralized live migration issues between volumes with different volumeModes
  • Resolved block volume hotplug breaking autoattachVSOCK functionality
  • Added ephemeral hotplug volume metrics and alerts for better monitoring
  • Fixed missing migration metrics that impacted observability
  • Updated security dependencies including golang.org/x/crypto to v0.45.0
  • Enhanced VM export functionality to work with PVCs from completed pods
原文

Argo

CI/CD & App Delivery2026年2月22日

日本語 準備中Argo CD v3.3.2 fixes the critical client-side apply migration issue that affected self-managed installations in v3.3.0/v3.3.1, requiring specific upgrade steps for users managing Argo CD with itself.

  • breakingEnable ServerSideApply for Self-Managed Installations

    If you have an Argo CD Application managing your Argo CD installation, you must enable `ServerSideApply=true` sync option on that Application before upgrading to v3.3.2. This is required for the upgrade to succeed and prevents apply migration failures.

  • breakingRemove Temporary ClientSideApplyMigration Setting

    If you previously upgraded to v3.3.0/v3.3.1 and set `ClientSideApplyMigration=false` as a workaround, remove this setting after upgrading to v3.3.2. Keeping it may cause field manager conflicts with other Kubernetes controllers.

  • enhancementSafe Upgrade Path for Previously Affected Users

    Users affected by the v3.3.0/v3.3.1 client-side apply migration bug can now safely upgrade to v3.3.2. Follow the upgrade guide carefully and test the upgrade process in a non-production environment first, especially for self-managed installations.

主な変更 (4)
  • Fixed client-side apply migration failure that prevented successful upgrades in v3.3.0/v3.3.1
  • Resolved conflicts between Argo CD field manager and other Kubernetes field managers
  • Updated documentation to clarify upgrade requirements for self-managed installations
  • Maintained SLSA Level 3 provenance and cosign signatures for all container images
原文

Contour

Networking & Messaging2026年2月20日

日本語 準備中Contour v1.33.2 is a maintenance release that fixes a critical HTTPProxy status update bug, upgrades Go to v1.25.7, and improves CPU allocation for the shutdown-manager container.

  • securityUpgrade for Go security patches

    Go v1.25.7 includes security fixes and performance improvements. Schedule an upgrade to benefit from these updates, especially if you're running production workloads with previous Contour versions.

  • breakingFix HTTPProxy status update issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, this release fixes the CRD schema issue. Upgrade immediately if you rely on status fields for monitoring or automation.

  • enhancementImproved Gateway Provisioner performance

    The increased CPU limit for shutdown-manager prevents throttling issues. If you're using Contour Gateway Provisioner and experiencing slow shutdown operations, this upgrade will improve performance.

主な変更 (4)
  • Go runtime updated to v1.25.7 for latest security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Increased shutdown-manager CPU limit from 50m to 200m in Gateway Provisioner to prevent throttling
  • Maintains compatibility with Kubernetes versions 1.32 through 1.34
原文

Contour

Networking & Messaging2026年2月20日

日本語 準備中Contour v1.32.3 is a maintenance release that updates Go runtime to v1.24.13 and fixes a critical CRD schema bug preventing load balancer status updates.

  • securityUpdate for Go Security Fixes

    Go v1.24.13 includes security patches. Schedule upgrade to v1.32.3 during your next maintenance window to benefit from runtime security improvements and bug fixes.

  • breakingFix Load Balancer Status Issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, upgrade immediately. The CRD schema fix resolves status reporting issues that could affect traffic routing visibility and monitoring.

主な変更 (4)
  • Go runtime updated to v1.24.13 with security fixes and improvements
  • Fixed HTTPProxy CRD schema bug that incorrectly marked status.loadBalancer.ingress[].ports[].error as required field
  • Resolved load balancer status update failures affecting ingress traffic routing
  • Maintained compatibility with Kubernetes versions 1.31 through 1.33
原文

Contour

Networking & Messaging2026年2月20日

日本語 準備中Contour v1.31.4 is a patch release addressing a critical load balancer status update bug and updating Go to v1.24.13 for security and stability improvements.

  • securityUpgrade for Go security patches

    Go v1.24.13 includes security fixes that improve runtime security. Plan to upgrade Contour to v1.31.4 during your next maintenance window to benefit from these security improvements.

  • enhancementFix load balancer status reporting issues

    If you've experienced failures in load balancer status updates with HTTPProxy resources, this release resolves the CRD schema issue. Upgrade to restore proper status reporting functionality, especially important for automation and monitoring systems that depend on load balancer status.

主な変更 (4)
  • Go runtime updated to v1.24.13 for security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Maintains compatibility with Kubernetes 1.30-1.32
  • Focused on stability improvements with no breaking changes
原文

Keycloak

Security2026年2月20日

日本語 準備中Keycloak 26.5.4 is a critical security patch release addressing 5 CVEs including SAML vulnerabilities and authorization bypass issues. Includes performance improvements and cluster stability fixes.

  • securityImmediate upgrade required for multiple CVEs

    This release fixes 5 CVEs including authorization bypass and DoS vulnerabilities. Review your SAML configurations and Docker registry protocol usage. Schedule immediate upgrade during next maintenance window, especially if using SAML brokering or have Docker registry integrations.

  • securityVerify client secret exposure in configurations

    CVE fix addresses client secret disclosure on unauthenticated endpoints. After upgrade, audit your client configurations and rotate any potentially exposed secrets. Review access logs for unauthorized config endpoint access.

  • enhancementOptimize cluster performance post-upgrade

    New session ID key affinity and improved caching will enhance performance in clustered deployments. Monitor login page response times and cluster stability after upgrade - you should see reduced database queries and better load distribution.

主な変更 (5)
  • Fixed 5 critical CVEs including SAML response delays, authorization header parsing bypass, and DoS vulnerabilities
  • Resolved client secret information disclosure on unauthenticated config endpoints
  • Enhanced session ID key affinity mechanism for improved load balancing
  • Fixed cluster rejoining issues with 3+ node configurations using jdbc-ping
  • Improved database query caching performance on login page loads
原文

gRPC

Networking & Messaging2026年2月20日

日本語 準備中gRPC v1.78.1 is a maintenance release addressing critical Python fork handling issues and Ruby 4.0 compatibility, with no breaking changes for most users.

  • enhancementUpgrade to resolve Python multithreading issues

    This release fixes a critical bug where Python applications using gRPC in multithreaded environments with fork() would hang with 'Other threads are currently calling into gRPC, skipping fork() handlers' errors. If you're experiencing similar issues, upgrade immediately and test your fork-heavy workloads.

  • enhancementPlan Ruby 4.0 migration path

    With Ruby 4.0 support now available, review your Ruby-based gRPC services for compatibility testing. The native gems should provide better performance, but validate your deployment pipeline supports the new Ruby version before upgrading production systems.

主な変更 (4)
  • Fixed Python fork support inconsistency causing request processing hangs in multithreaded environments
  • Removed unintentional warning log messages in Python implementations
  • Added Ruby 4.0 support with native gem builds
  • Updated Python API documentation site with modern design
原文

Kyverno

Security2026年2月19日

日本語 準備中Kyverno v1.17.1 is a focused patch release fixing a CVE, multiple crash/panic conditions, race conditions, and image verification bugs that could silently misbehave in production.

  • securityPatch CVE-2025-68121 now

    CVE-2025-68121 is fixed in this release. Details on scope are limited in the notes, but any CVE fix in an admission controller warrants immediate attention. If you're on v1.17.0, upgrade to v1.17.1 before doing anything else. Don't wait for your next maintenance window.

  • breakingVerify your policy exclusion rules if you use empty lists

    A bug was fixed where an empty list in a policy exclusion would silently exclude ALL resources instead of none. If you have any ClusterPolicy or Policy with exclusion blocks, audit them now. If you were unknowingly relying on empty-list-as-exclude-all behavior (unlikely but possible), your policies will now behave correctly — meaning resources that were previously skipped will now be evaluated.

  • enhancementImage verification with TSA and private registries is now reliable

    Two separate ivpol fixes land here: signed timestamp verification is now correctly enabled when a TSACertChain is provided, and private registry secrets in the Kyverno namespace are now used during background report scanning. If you've been seeing unexpected verification failures in background scans or with TSA-based signature policies, upgrade and re-run your report scans to get accurate results.

主な変更 (5)
  • CVE-2025-68121 patched — update immediately if running v1.17.0
  • Panic fixed in metrics wrapper when generate response returns no result — previously could crash the controller
  • Race conditions eliminated in configuration.IsExcluded() and ReportsBreaker — affected correctness under concurrent load
  • Image verification (ivpol) fixes: private registry auth now works in reports scanner, multi-signature annotation validation bug resolved, and TSA signed timestamp verification enabled when cert chain is provided
  • Empty list in policy exclusion no longer silently excludes all resources — a subtle but dangerous behavioral bug
原文

Fluentd

Observability2026年2月19日

日本語 準備中Fluentd v1.19.2 delivers critical bug fixes for socket leaks and connection timeouts, with Ruby 4.0 compatibility improvements. Priority fix for production stability issues affecting out_forward and HTTP server plugins.

  • securityUpgrade immediately to fix socket leak vulnerability

    HTTP server plugin had socket leaks in POST requests that could lead to resource exhaustion. This is a critical fix for production environments using HTTP input plugins. Update immediately and monitor socket usage after deployment.

  • breakingUpdate out_forward configurations for timeout handling

    The out_forward plugin now properly handles connection timeouts to prevent infinite loops. Review your forward output configurations and monitor for any connection behavior changes, especially in high-throughput environments where connection stability is critical.

  • enhancementPrepare for Ruby 4.0 migration

    This release adds Ruby 4.0 compatibility with updated gem dependencies including ostruct and net-http. Plan your Ruby upgrade path and test this version in staging environments if you're planning to move to Ruby 4.0.

主な変更 (5)
  • Fixed out_forward plugin timeout issue preventing infinite connection loops
  • Resolved socket leaks in HTTP server plugin POST requests
  • Fixed in_tail plugin errors when encountering unreadable files in glob patterns
  • Added Ruby 4.0 compatibility with updated gem dependencies
  • Fixed duplicate config file loading in config_include_dir
原文

Strimzi

Networking & Messaging2026年2月19日

日本語 準備中Strimzi 0.50.1 is a critical security patch addressing two CVEs affecting versions 0.47.0+, with mandatory CRD upgrades and final support for Kubernetes 1.27-1.29.

  • securityImmediate upgrade required for CVE fixes

    If running Strimzi 0.47.0 or newer, immediately review the CVE advisories and upgrade to 0.50.1. These are critical security vulnerabilities that require urgent patching in production environments.

  • breakingUpdate KafkaUser resources before upgrading

    Before upgrading, update all KafkaUser resources to use .spec.authorization.acls[]operations field instead of the deprecated .spec.authorization.acls[]operation field to avoid compatibility issues.

  • breakingPlan Kubernetes upgrade for Strimzi 0.51+

    This is the final version supporting Kubernetes 1.27-1.29. Plan to upgrade your clusters to Kubernetes 1.30+ before upgrading to Strimzi 0.51.0 or newer to maintain compatibility.

主な変更 (5)
  • Fixes two critical security vulnerabilities CVE-2026-27133 and CVE-2026-27134 affecting Strimzi 0.47.0+
  • Includes full CA chain in broker certificates for improved TLS certificate validation
  • Fixes bugs in v1 API conversion tool for number conversions and empty YAML handling
  • Last version supporting Kubernetes 1.27, 1.28, and 1.29 - future versions require K8s 1.30+
  • Continues migration to v1 APIs with mandatory CRD upgrades, especially critical for Helm users
原文

Backstage

CI/CD & App Delivery2026年2月18日

日本語 準備中Backstage v1.48.1 was released, but the published notes are too brief to summarize. See the original release notes for details.

原文

Kubeflow

AI & ML2025年12月15日

日本語 準備中Kubeflow v1.11.0 is a major feature release with several operator-facing changes: the default storage backend moves from MinIO to Seaweedfs, PodSecurityStandards enforcement tightens for both system and user namespaces, and Istio sidecar scope is pruned by default to reduce resource use on large clusters. Multiple component versions are bumped and Kubernetes 1.33+ with Kustomize 5.7.1 is now required, so plan for data migration and PSS compliance checks before upgrading.

  • breakingMinIO to Seaweedfs migration required

    The default S3 storage backend switches from MinIO to Seaweedfs. Existing MinIO data is not migrated automatically: back up and restore anything stored there before upgrading.

  • breakingStricter PodSecurityStandards enforcement

    System namespaces now enforce PodSecurityStandards 'restricted', and user namespaces enforce 'baseline'. Review workloads for compliance before upgrading, since pods violating these policies will be blocked.

  • breakingIstio sidecar scope pruned by default

    Istio sidecars are now pruned/limited by default instead of using full mesh scope, cutting sidecar memory and network overhead on large clusters. Cross-namespace service calls that relied on the previous full mesh visibility may need explicit configuration.

  • breakingNamespace pod overhead defaults to zero

    Namespaces/profiles now default to zero pod overhead instead of a nonzero reservation, roughly doubling the effective pod capacity per namespace. Check any capacity planning or quota assumptions tied to the old overhead value.

  • breakingKubernetes 1.33+ and Kustomize 5.7.1 required

    This release targets Kubernetes 1.33+ and the tested Kustomize version is 5.7.1. Running older Kubernetes or a different Kustomize version is degraded/unsupported and may cause manifest build or deployment issues.

  • breakingBitnami dependency deprecated

    Bitnami-based components are now deprecated in favor of other sources. Plan to migrate off Bitnami images/charts as they may be removed in a future release.

主な変更 (8)
  • Default S3 storage backend switches from MinIO to Seaweedfs; back up MinIO data before upgrading
  • PodSecurityStandards tightened: 'restricted' for system namespaces, 'baseline' for user namespaces
  • Istio sidecar scope pruned/limited by default to cut memory and network overhead on large clusters
  • Namespace/profile pod overhead defaults to zero, roughly doubling usable pod capacity per namespace
  • Requires Kubernetes 1.33+ and Kustomize 5.7.1; Bitnami dependency deprecated
  • Scalability work targeting 1000+ users/profiles/namespaces, plus S3 hard multi-tenancy with per-namespace credentials
  • Component bumps: KFP 2.15.0, Trainer 2.1.0, Training Operator 1.9.2, Katib 0.19.0, KServe 0.15.2, Istio 1.28.0, DEX 2.44, OAuth2-Proxy 7.13
  • Added deny-all NetworkPolicies for key system namespaces and experimental Istio Ambient Mode (ztunnel) support
原文
← 新しい古い →