RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Helm

Kubernetes Core2026年6月12日

Helm v4.2.1 fixes data races in concurrent operations, corrects output routing for command messages, and resolves version constraint parsing issues that caused false negatives.

  • breakingVerify output parsing in automation after upgrade

    Helm command success messages now correctly write to stdout instead of stderr. If your CI/CD pipelines, monitoring, or shell scripts redirect or filter Helm output by stream, they may behave unexpectedly. Check any grep, tee, or output capture logic that assumes helm writes to stderr. Most scripts should work unchanged, but streaming-dependent logic needs review.

  • enhancementUse version range constraints without workarounds

    Helm 4 previously rejected or warned about valid version range constraints like prerelease versions and missing spaces (e.g., 'v1.0.0||v1.1.0'). This is now fixed. If you've avoided version ranges or used pinned versions as a workaround, you can now adopt constraint-based version selection, which simplifies dependency management in large deployments.

  • enhancementUpgrade to get concurrent operation stability

    Multiple race conditions in concurrent goroutines (upgrade + rollback, install + uninstall on the same client, and WaitForDelete timing) are now fixed. Teams running high-concurrency Helm operations (e.g., multi-chart deployments, parallel reconciliation loops, or large test suites) should upgrade to eliminate intermittent failures. This is particularly important if you see flaky test results in your CI pipeline.

主な変更 (5)
  • Fixed data race in GetWaiterWithOptions when concurrent upgrade/rollback and install/uninstall operations target the same FailingKubeClient instance
  • Corrected helm command output routing: success messages now write to stdout instead of stderr
  • Fixed Helm 4 false negatives when parsing version range constraints (e.g., prerelease versions, missing spaces in || operator)
  • Patched WaitForDelete race condition where status observer canceled watches prematurely, causing intermittent test failures
  • Updated dependencies: cli-utils 1.2.1, controller-runtime 0.24.1, k8s 1.36.1, and golang.org/x/net v0.55.0 (GO-2026-5026)
原文

Helm

Kubernetes Core2026年6月12日

Helm v3.21.1 fixes a nil pointer panic in template operations and updates dependencies. A straightforward patch for stability.

  • securityUpgrade for Go security patch GO-2026-5026

    golang.org/x/net was bumped to v0.55.0 to fix GO-2026-5026. This is a supply-chain dependency, not directly exposed in Helm's API. Upgrade if your security scanning flags net vulnerabilities. No action needed if you're just using Helm normally—the fix is built in.

  • breakingClientOnly template operations now error correctly instead of panicking

    Helm template commands executed without cluster access (ClientOnly mode) previously crashed with nil pointer panics. v3.21.1 returns proper template errors instead. If you have automation that catches panics, update error handling to expect typed template errors. Test your template workflows before production rollout.

  • enhancementRegistry credentials now persist through HTTP fallback

    Registry operations now keep credentials when falling back from HTTPS to plain HTTP, thanks to oras-go v2.6.1. If you use private registries with HTTP-only endpoints, this improves reliability. No configuration change needed; the fix is automatic.

主な変更 (3)
  • Fixed nil pointer panic in helm template when running in ClientOnly mode (no Kubernetes cluster)
  • Preserved registry credentials on plain-HTTP fallback via oras-go v2.6.1 update
  • Bumped Go to 1.26 and golang.org/x/net to v0.55.0 to address GO-2026-5026
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.36.2 is a patch release fixing critical bugs in Dynamic Resource Allocation (DRA) scheduler, CSI volume republishing, and endpoint controller, plus a Go 1.26.4 build update.

  • securityBinary non-UTF8 Secret data in container env vars now handled correctly

    Kubernetes 1.34+ had a regression where containers could not properly read environment variables set from Secret API objects containing binary non-UTF8 data. This is fixed in 1.36.2. If your workloads use non-text Secret data in environment variables, upgrade to prevent decode errors or silent failures.

  • breakingDRA device allocation bug affects multi-device workloads

    Kubernetes 1.36.0–1.36.1 has a scheduler bug that assigns mutually exclusive device partitions to multiple Pods when drivers use SharedCounters with multi-allocatable devices. This can cause workload failures, device conflicts, crashes, or data loss. If you use DRA with multi-allocatable devices (especially GPUs or custom accelerators with shared counters), upgrade to 1.36.2 immediately. Review recent Pod scheduling decisions for conflicts.

  • enhancementCSI volume republish failures no longer corrupt mount state

    Kubelet was incorrectly deleting CSI mount directories when periodic NodePublishVolume calls (triggered by requiresRepublish=true) failed, leaving pods with stale volume content. This is fixed in 1.36.2. If you run CSI drivers with requiresRepublish=true, this patch eliminates a data consistency risk—upgrade to prevent potential data issues on transient network or storage errors.

主な変更 (7)
  • Built with Go 1.26.4 for improved runtime stability
  • Fixed DRA scheduler bug that could assign mutually exclusive device partitions to multiple Pods, risking workload failures or data loss
  • Fixed kube-scheduler panic when DRA ResourceClaim with allocationMode: All selects shared counter devices
  • Fixed kubelet incorrectly deleting CSI mount directories on periodic NodePublishVolume errors, leaving stale volume content
  • Fixed regression where suspended Job spec modifications were rejected if JobSuspended condition was not yet set
  • Fixed endpoint controller panic on services with empty IPFamilies field
  • Fixed container environment variable handling for binary non-UTF8 data from Secrets
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.35.6 fixes critical issues in pod scheduling with multi-node claims, DRA device selection, CSI volume republishing, and endpoint handling; includes a Go runtime upgrade and performance improvements.

  • securitySecret binary data in environment variables now handled correctly

    A 1.34+ regression broke environment variable injection from Secrets containing non-UTF8 binary data (e.g., certificates, keys in base64-encoded Secrets). If you inject Secrets as env vars and those Secrets contain binary data, upgrade to v1.35.6. Test this quickly if you run database credentials or keys via Secrets—the bug may have silently broken injection.

  • breakingUpgrade Go runtime to 1.25.11 in your build pipeline

    Kubernetes v1.35.6 is built with Go 1.25.11. If you run custom controllers or operators on the same Go version, verify compatibility and rebuild. If your CI/CD locks Go versions, update your build configuration. This is standard but must be done; old Go versions may have security gaps you're inheriting.

  • enhancementDRA scheduling and CSI republishing now reliable for dynamic resource allocation

    Three bugs are fixed: (1) scheduler no longer panics on DRA ResourceClaim with AllocationMode All and shared counters; (2) pods using multi-node and per-node claims no longer deadlock in Pending; (3) kubelet no longer deletes CSI mount directories on transient NodePublishVolume errors, preventing stale volume data. If you use DRA (dynamic resource allocation) or CSI with republish enabled, this release eliminates previously deadlocking scenarios. Upgrade to clear stuck pods and prevent future hangs.

主な変更 (6)
  • Upgraded to Go 1.25.11 for runtime stability and security patches
  • Fixed pod scheduling deadlock when using both multi-node and per-node DRA claims
  • Fixed kube-scheduler panic with DRA ResourceClaim AllocationMode consuming shared counters
  • Fixed kubelet deleting CSI mount directories on periodic NodePublishVolume failures, causing stale volumes
  • Fixed endpoint controller panic on services with empty IPFamilies field (pre-dual-stack services)
  • Fixed environment variable handling for Secret objects containing binary non-UTF8 data
原文

Kubernetes

Kubernetes Core2026年6月12日

Kubernetes v1.34.9 fixes volume handling in CSI mounts, binary secret data in containers, endpoint controller panics, and kubeadm certificate handling. Go 1.25.11 build improves runtime performance.

  • breakingUpgrade kubelet if running CSI drivers with requiresRepublish enabled

    A 1.34+ regression caused kubelet to delete CSI mount directories on republish failures, stranding pods with stale volume data. If you run CSI drivers with spec.requiresRepublish=true, upgrade immediately. Check your CSI driver specs and watch for failed republish attempts in kubelet logs before upgrading to confirm you hit this bug.

  • breakingTest binary Secret injection in container environment variables

    v1.34 broke environment variable parsing for containers referencing Secrets with binary (non-UTF8) data. If your workloads inject Secret data into environment variables, test them after upgrading. Check application startup logs for parsing errors; you may need to base64-encode binary Secret values instead.

  • enhancementUpdate Go runtime for performance and security

    v1.34.9 uses Go 1.25.11, which includes runtime optimizations and security patches. Upgrade when you next rotate your control plane and worker nodes. No code changes needed on your side, but the Go update may improve latency and reduce memory usage in your cluster.

主な変更 (5)
  • Kubernetes now built with Go 1.25.11 for improved performance and security patches
  • Fixed kubelet CSI mount directory deletion that left pods with stale volume contents after republish errors
  • Fixed panic in endpoint controller when processing services with empty IPFamilies field
  • Fixed regression in container environment variable parsing when values reference Secrets containing binary non-UTF8 data
  • Kubeadm certificate dry-run mode now correctly copies existing CA files
原文

Dapr

Orchestration & Management2026年6月11日

Dapr 1.16.15 fixes a sentry crash that blocks all mTLS identity issuance when the issuer key is Ed25519 or RSA — directly relevant to anyone who downgraded from 1.18 or rotated their issuer key type.

  • breakingUpgrade to 1.16.15 if you downgraded from 1.18 or rotated your issuer key

    If your 1.16 control plane has an Ed25519 or RSA issuer key in the dapr-trust-bundle secret — which happens automatically after a 1.18 downgrade — dapr-sentry crash-loops and no new mTLS certificates are issued. Existing sidecars with unexpired certs keep working, but any pod restart or cert expiry will cause identity failures. Upgrade to 1.16.15 immediately. If you cannot upgrade right now, the only workaround is to replace the issuer key in dapr-trust-bundle with an ECDSA P-256 key.

主な変更 (5)
  • dapr-sentry crashes on startup with 'unsupported key type' when the trust bundle contains an Ed25519 or RSA issuer key
  • Root cause: dapr/kit's EncodePrivateKey only matched *ecdsa.PrivateKey and *ed25519.PrivateKey (pointer form), missing the value-type Ed25519 and RSA entirely
  • Fix: dapr/kit v0.16.3 now handles ed25519.PrivateKey (value), *rsa.PrivateKey, and *ecdsa.PrivateKey via PKCS#8 round-trip
  • Affects 1.16 clusters downgraded from 1.18, or any 1.16 deployment where the issuer key was manually rotated to Ed25519 or RSA
  • While sentry is crash-looping, sidecars with valid unexpired certs keep running, but any fresh start or cert rotation fails
原文

Falco

Security2026年6月11日

Falco 0.44.1 adds BPF iterator control and fixes multiple BPF-related issues via a libs bump. Minimal release focused on stability for deployments using kernel-level tracing.

  • breakingUpdate libs and kernel driver together

    This release bumps libs to 0.25.4 and driver to 10.2.0+driver. If you pin kernel driver versions separately from Falco, ensure you update both in the same maintenance window. Mismatched versions can cause syscall capture failures or silent data loss.

  • enhancementControl BPF iterator behavior if you hit performance or compatibility issues

    Falco 0.44.1 introduces a config option to disable BPF iterators. If you run Falco on kernels with problematic BPF iterator implementations or see high CPU usage tied to iterator overhead, test disabling them. Check your Falco logs and metrics after upgrading to confirm the fix resolves any BPF-related instability you were seeing in 0.44.0.

主な変更 (3)
  • Add disabling option for BPF iterators in userspace Falco configuration
  • Bump libs to 0.25.4 and driver to 10.2.0+driver to resolve BPF iterator bugs
  • Support for both x86_64 and aarch64 packages across rpm, deb, and tgz formats
原文

Envoy

Networking & Messaging2026年6月10日

Envoy v1.38.2 is a small patch release: one RTDS runtime bug fix and two opt-in HTTP/2 cookie observability features. No security fixes.

  • breakingRTDS runtime guard fix changes delete behavior — verify your override logic

    If your config management deletes RTDS runtime guard overrides expecting them to revert to default, prior behavior was broken and left stale values. After upgrading to v1.38.2, deletes will now correctly restore defaults. Test any automation that removes runtime overrides to confirm it behaves as intended.

  • enhancementUse new HTTP/2 cookie size limit to guard against oversized headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag lets you cap the reassembled cookie header size in HTTP/2. If your deployment handles untrusted upstream or downstream traffic with large cookie headers, set an explicit limit to reduce memory pressure. The default is unlimited, so this is opt-in.

主な変更 (3)
  • RTDS runtime fix: deleting a runtime guard override now correctly restores the default value instead of leaving stale state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length/count) via envoy.reloadable_features.http2_record_histograms — temporary, will be removed in a future release
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)
原文

Envoy

Networking & Messaging2026年6月10日

Envoy v1.37.4 is a small patch with one RTDS bug fix and two opt-in HTTP/2 cookie-related observability/safety features. No security CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard state

    If your deployments rely on RTDS to manage runtime guard overrides, the old behavior left stale override values after deletion. The fix now restores the process-wide default. Check that your expected default values are actually what you want after an override is removed, especially if you were working around the old broken behavior.

  • enhancementUse the new cookie size limit to protect against oversized cookie headers

    HTTP/2 reassembled cookie headers had no size cap before this release. If you proxy untrusted HTTP/2 clients, set envoy.reloadable_features.http2_max_cookies_size_in_kb to a reasonable limit (e.g., 32–64 KB) to prevent unexpectedly large cookie payloads from reaching upstreams. The default remains unlimited, so this requires an explicit opt-in.

  • enhancementEnable HTTP/2 header histograms in staging to baseline your traffic

    The new envoy.reloadable_features.http2_record_histograms flag adds histograms for header count, map byte size, and cookie metrics. These are useful for understanding HTTP/2 header pressure in your fleet. Enable in a non-production environment first — note these metrics will be removed in a future Envoy release, so don't build long-term dashboards around them.

主な変更 (4)
  • RTDS bug fix: deleting a runtime guard override now correctly falls back to the process-wide default instead of leaving a stale value
  • New opt-in HTTP/2 header histograms (header count, byte size, cookie length/count) — enable via envoy.reloadable_features.http2_record_histograms
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size (disabled/unlimited by default)
  • HTTP/2 header histograms are explicitly temporary — they will be removed in a future release
原文

Envoy

Networking & Messaging2026年6月10日

Envoy v1.36.8 is a minor patch with one bug fix and two opt-in HTTP/2 observability features. No breaking changes or CVEs.

  • breakingHTTP/2 header histograms are temporary — don't build dashboards on them

    The new http2_record_histograms feature and its runtime guard are explicitly scheduled for removal in a future Envoy release. If you enable them for debugging HTTP/2 header issues, treat the resulting metrics as short-lived. Don't wire them into permanent dashboards or alerts that would break on upgrade.

  • enhancementEnable HTTP/2 header histograms if you're debugging large header or cookie payloads

    If you're seeing unexpectedly large HTTP/2 requests or cookie-related issues, flip envoy.reloadable_features.http2_record_histograms to get histograms on header entry count, byte size, and cookie metrics. Pair this with envoy.reloadable_features.http2_max_cookies_size_in_kb to enforce a hard cap on reassembled cookie header size — useful if you need to protect upstream services from oversized cookie headers.

主な変更 (4)
  • RTDS runtime guard override deletion now correctly restores the process-wide default value instead of leaving it in a broken state
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) enabled via envoy.reloadable_features.http2_record_histograms
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb to cap reassembled cookie header size; no limit enforced by default
  • HTTP/2 histograms and their runtime guard are explicitly temporary — they will be removed in a future release
原文

Dapr

Orchestration & Management2026年6月10日

Dapr 1.18 is a large release centered on workflow security and durability (tamper detection, access policies, history propagation, concurrency limits), with Jobs API and HotReload graduating to GA and several breaking changes requiring pre-upgrade review.

  • securityEnable WorkflowAccessPolicy in shared or multi-tenant clusters

    Before 1.18, any caller in the same trust domain could schedule, terminate, or query any other app's workflows. The new WorkflowAccessPolicy CRD lets you lock this down per-operation with glob-pattern rules. The default is still open (no policy = all calls allowed), so existing deployments are unaffected — but teams running shared clusters should define policies now. Also: redis common components previously skipped TLS cert verification unconditionally; this is fixed in 1.18, so verify your Redis TLS config is correct before upgrading.

  • breakingDo not roll back from 1.18 directly to 1.17.6 or earlier

    Sentry 1.18 writes an Ed25519-keyed CA into the dapr-trust-bundle secret. Any Sentry version before 1.17.7 cannot parse this and will crash-loop, blocking all new certificate issuance. Before upgrading, confirm your rollback target is 1.17.7+. If you need to go below 1.17.7, downgrade to 1.17.7 first, stabilize, then continue. Also audit any code that relied on silent workflow ID reuse — it now gets a hard conflict error.

  • breakingHop-by-hop headers stripped on service invocation — check your apps

    Standard HTTP hop-by-hop headers (Connection, Keep-Alive, Transfer-Encoding, etc.) are now stripped during service invocation per RFC 7230. Any app relying on these headers passing through will silently break. Audit service invocation call sites and move to non-hop-by-hop equivalents before upgrading.

  • enhancementEnable workflow history signing for audit-sensitive workloads

    Workflow history signing is opt-in and disabled by default. It requires mTLS to be active. Before turning it on cluster-wide, let any in-flight unsigned workflows complete or purge them — enabling signing on a workflow that started unsigned is a hard verification error with no catch-up path. Once enabled, a tampered workflow is terminated and flagged with DAPR_WORKFLOW_HISTORY_TAMPERED, leaving the original state intact for forensic review. Good candidate for compliance-sensitive or multi-tenant workflow deployments.

主な変更 (7)
  • Sentry now generates Ed25519 workload identity keys — rollback floor is 1.17.7; rolling back to 1.17.6 or earlier crashes Sentry
  • WorkflowAccessPolicy CRD added for per-operation allow-list access control between apps; default is open (no policy = all allowed)
  • Workflow history signing added (opt-in, one-way) for tamper detection via chained SPIFFE-signed event batches
  • HotReload is now GA and on by default — Components, Subscriptions, Configurations, Resiliencies, and more reload without sidecar restart
  • Jobs API graduates to stable; alpha RPCs deprecated but still functional — migrate app code to ScheduleJob/GetJob/DeleteJob
  • Workflow ID reuse semantics changed: creating a workflow with an existing active instance ID now returns a conflict error instead of silently overwriting
  • Java SDK minimum version bumped to Java 17; Spring Boot baseline moves to 3.5
原文

Envoy

Networking & Messaging2026年6月10日

Envoy v1.35.12 is a minor patch with one runtime bug fix and two opt-in HTTP/2 cookie/header observability features. No breaking changes or CVEs.

  • breakingRTDS override deletion behavior changed — verify runtime guard defaults

    If you rely on RTDS to manage runtime guard overrides, test this fix in staging. Previously, deleting an override left the old value active; now it resets to the process default. Any automation that deleted overrides expecting them to persist will behave differently.

  • enhancementUse the new HTTP/2 cookie size limit to guard against oversized cookie headers

    The new envoy.reloadable_features.http2_max_cookies_size_in_kb flag is off by default. If your deployments accept untrusted HTTP/2 traffic, consider setting a reasonable limit to bound memory usage from reassembled cookie headers. Pair it with the new histograms to first measure your actual cookie sizes before choosing a cap.

主な変更 (3)
  • Runtime bug fix: deleting an RTDS runtime guard override now correctly restores the process-wide default, instead of leaving the previous override in place.
  • New opt-in HTTP/2 header histograms (entry count, byte size, cookie length, cookie count) via envoy.reloadable_features.http2_record_histograms — note these will be removed in a future release.
  • New runtime flag envoy.reloadable_features.http2_max_cookies_size_in_kb lets you cap the size of the reassembled cookie header; no limit is enforced by default.
原文

Chaos Mesh

Observability2026年6月10日

Chaos Mesh v2.8.3 is a security-focused patch: critical/high CVEs addressed via Go 1.25.11 and containerd 1.7.32 upgrades, plus a NetworkChaos recovery bug fix.

  • securityUpgrade to v2.8.3 to patch critical/high CVEs

    The Go toolchain and containerd in the container images had critical/high CVEs. If you're running Chaos Mesh on release-2.8, upgrade to v2.8.3 now. No config changes needed — this is a drop-in image update.

  • breakingVerify NetworkChaos experiments involving crash-looping pods

    NetworkChaos recovery previously failed when the target container was in CrashLoopBackOff. v2.8.3 fixes this by falling back to the pause container's PID. If your test environments include intentionally crash-looping workloads, re-run those experiments to confirm recovery behaves correctly after the upgrade.

主な変更 (5)
  • Go toolchain upgraded to 1.25.11 and containerd to 1.7.32 to patch critical/high container image CVEs
  • memStress helper rebuilt with updated Go toolchain (v0.3.1)
  • chaos-daemon image switched to headless JRE, reducing attack surface
  • NetworkChaos recovery now falls back to sandbox (pause) container PID when the target is in CrashLoopBackOff
  • Deprecated wait.PollImmediate replaced with wait.PollUntilContextTimeout in e2e tests
原文

NATS

Networking & Messaging2026年6月9日

NATS v2.12.11 is a single-fix patch release targeting a JetStream regression in v2.12.7 that caused stale subject state tracking and 'Message Not Found' errors on streams with per-subject message limits.

  • breakingUpgrade if you use max-messages-per-subject on any stream

    If you run NATS 2.12.7–2.12.10 and have streams configured with MaxMsgsPerSubject (max_msgs_per_subject), you are exposed to silent stale-state bugs that surface as 'Message Not Found' errors. These errors can cause consumers to miss messages or behave unpredictably. Upgrade to 2.12.11 immediately. If you are already on 2.14.x, you are not affected and no action is needed.

主な変更 (4)
  • Fixed JetStream regression (introduced v2.12.7): stale subject state tracking caused 'Message Not Found' errors when max-messages-per-subject is configured
  • Go runtime updated to 1.25.11
  • v2.14.x is unaffected by this regression — only 2.12.7 through 2.12.10 users need to act
  • No other changes in this release
原文

CoreDNS

Kubernetes Core2026年6月9日

CoreDNS v1.14.4 delivers a broad set of targeted fixes and new capabilities: DNSSEC signing correctness fix, cache behavior improvements, forward plugin now resolves hostnames, and several transport security hardening items.

  • breakingDNSSEC signing behavior changed — review delegated zone setups

    The fix to sign each RRset with its owning zone rather than the query zone is technically correct, but if you have multi-zone DNSSEC setups with delegations, validate your signed responses after upgrading. Zones that were relying on the previous (incorrect) signing behavior may produce different signatures. Run dnssec-verify on a sample of records before cutting over in production.

  • enhancementUse hostname-based forward targets instead of hard-coded IPs

    The forward plugin now resolves hostnames for TO endpoints at runtime. If your CoreDNS configs currently pin upstream resolver IPs, you can switch to FQDNs and let CoreDNS handle resolution. This simplifies config management in environments where upstream IPs change (e.g., cloud-managed resolvers). Test in staging first — resolution failures at startup could affect forwarding.

  • enhancementRemove the 3600s cache TTL ceiling if longer TTLs are appropriate

    Cache TTLs were previously capped at 3600s regardless of the DNS record's actual TTL. That cap is gone. For stable records (root hints, internal authoritative zones) you can now set higher max_ttl values to reduce upstream query load. Audit your cache plugin config and raise max_ttl where it makes sense.

主な変更 (5)
  • DNSSEC signing fix: RRsets are now signed with the zone that owns the name, not the query zone — this corrects a subtle but real signing correctness bug
  • Forward plugin now supports hostname resolution for TO endpoints, removing the need to pre-resolve IPs in configs
  • Cache TTL cap of 3600s removed; serve_stale gains an optional verify timeout; positive cache is preferred over SERVFAIL in negative cache
  • File plugin triggers zone reload on mtime change — no more manual reload signals for zone file updates
  • dnstap plugin now supports incoming connections; secondary plugin gains fallthrough support
原文

OpenTelemetry

Observability2026年6月8日

OTel Collector v0.154.0 fixes a startup crash in exporterhelper and changes --skip-get-modules behavior. Two minor enhancements add TLS and CORS config options.

  • securityinclude_insecure_cipher_suites is opt-in — keep it that way

    The new configtls option lets you re-enable weak cipher suites, but they stay disabled by default. Do not set include_insecure_cipher_suites: true in production unless you're forced to by a legacy peer — and if you are, treat it as a temporary workaround and track it.

  • breakingCheck custom build pipelines using --skip-get-modules

    If your OCB-based build scripts pass --skip-get-modules expecting go.mod to be regenerated as a side effect, that no longer happens. Audit any CI pipelines that relied on this implicit behavior and add an explicit go mod tidy step if needed.

  • enhancementUpgrade if you use sending_queue with sizer enabled

    The nil-pointer panic fix in exporterhelper is critical for anyone who sets sending_queue.sizer alongside batch.enabled: false. If your collector was crashing on startup in this config, v0.154.0 resolves it — upgrade directly.

主な変更 (5)
  • cmd/builder: --skip-get-modules no longer rewrites go.mod — it now truly skips module operations as documented
  • pkg/exporterhelper: fixes nil-pointer panic at startup when sending_queue.sizer is set and sending_queue.batch.enabled is false
  • pkg/config/configtls: new include_insecure_cipher_suites option, disabled by default
  • pkg/confighttp: CORSConfig gains ExposedHeaders field to control Access-Control-Expose-Headers response header
  • cmd/mdatagen: numeric validators (minimum, maximum, exclusiveMinimum, exclusiveMaximum) now supported in generated config structs
原文

KEDA

Orchestration & Management2026年6月8日

KEDA 2.20.1 fixes a critical race condition that caused panics during concurrent scaling and restores missing startup events for ScaledJobs. Upgrade required if running 2.20.0.

  • securityUpgrade to 2.20.1 if you saw panic crashes during concurrent scaling

    A concurrent map read/write race condition in the status update logic caused KEDA to panic when ScaledObjects or ScaledJobs scaled simultaneously (multiple triggers active at once). This is fixed in 2.20.1. If you experienced panics in 2.20.0 during periods of high scaling activity, upgrade immediately.

  • breakingReview breaking changes in v2.20.0 before upgrading

    KEDA 2.20.0 introduced breaking changes. If you operate KEDA clusters on versions before 2.20.0, review the v2.20.0 release notes at the GitHub link provided in the warning before upgrading to 2.20.1. Do not skip directly from < 2.20.0 to 2.20.1 without reading those notes first.

  • enhancementRestore ScaledJob scaler startup event visibility

    KEDA was failing to emit the KEDAScalersStarted event for ScaledJobs due to Kubernetes event aggregation key collision. Monitoring tools or dashboards relying on this event to track scaler initialization may have missed ScaledJob startup signals. Upgrade to 2.20.1 to restore proper event emission.

主な変更 (3)
  • Fixed concurrent map read/write race condition causing panics during simultaneous trigger scaling
  • Fixed KEDAScalersStarted event not being emitted for ScaledJobs due to event aggregation key collision
  • Upgrade strongly recommended if running 2.20.0; breaking changes exist in 2.20.0 requiring careful review before upgrade from earlier versions
原文

gRPC

Networking & Messaging2026年6月8日

gRPC v1.81.1 is a patch release fixing memory safety bugs on Windows and ARM, plus Python/Ruby housekeeping. No API-breaking changes.

  • breakingPython 3.9 and Ruby 3.1 are no longer supported

    If your services run gRPC Python on 3.9 or Ruby on 3.1, upgrading to v1.81.1 will break your build. Check your runtime versions before upgrading. Python 3.10+ and Ruby 3.2+ are the minimum now.

  • enhancementUpgrade Windows/ARM deployments to get memory safety fixes

    Two Windows EventEngine races and an ARM completion queue shutdown race are fixed. If you run gRPC servers on Windows or ARM-based hosts (e.g., Graviton), this patch is worth applying — use-after-free and assertion crashes are hard to reproduce but can cause random service failures.

  • enhancementprotobuf 7.x now allowed for gRPC Python

    The grpc-status package previously capped protobuf at <6.x. With the upper bound relaxed to 7.x, you can now unpin protobuf in Python services that use grpc-status alongside other libraries requiring newer protobuf versions.

主な変更 (5)
  • EventEngine: two Windows-specific bugs fixed — a use-after-free and a race causing assertion errors
  • Core: completion queue shutdown race fixed on weak memory model architectures (ARM)
  • Python: dropped Python 3.9 support; protobuf dependency upper bound relaxed to allow 7.x
  • Ruby: dropped EOL Ruby 3.1 support; fixed CallCredentials reference leak
  • Python: AsyncIO observability support added
原文

Crossplane

Orchestration & Management2026年6月5日

Patch release adding a v2 upgrade readiness scanner, a golang.org/x/net security fix, and a runtime bump. The new CLI command is the practical reason to upgrade now.

  • securityUpdate immediately for golang.org/x/net fix

    golang.org/x/net was updated to v0.55.0 to address a security issue. The release notes tag this as a security dependency update, so treat it as mandatory. Upgrade to v1.20.9 before the next planned maintenance window, don't wait for a convenient moment.

  • breakingTreat upgrade check findings as real blockers, not warnings

    The command reports usage of features that are removed or changed in v2 — native patch-and-transform Compositions, ControllerConfig, external secret stores, and unqualified package sources. These are not deprecation warnings; they are hard blockers. If your control plane has any findings, start migration work using the linked guides before attempting any v2 upgrade. Ignoring them and upgrading anyway will break running workloads.

  • enhancementRun upgrade check before any v2 planning work

    If your team is on a v1.x control plane and Crossplane v2 is anywhere on the roadmap, run `crossplane beta upgrade check` against your environment now. It surfaces exactly which Compositions, ControllerConfigs, and package references will block an upgrade — saving hours of manual audit. Pipe it with `-o json` into your CI pipeline to enforce a clean bill of health before any v2 upgrade PR is merged. The non-zero exit code makes gating trivial.

主な変更 (5)
  • New `crossplane beta upgrade check` command scans a live control plane for v2 breaking changes before you upgrade
  • Checks cover native P&T Compositions, ControllerConfig usage, external secret stores, unqualified package sources, and connection details
  • Output is human-readable by default, JSON-capable via `-o json`, exits non-zero on blockers — CI-gate friendly
  • Each finding links directly to relevant migration guides and `crossplane beta convert` commands where applicable
  • Security update: golang.org/x/net bumped to v0.55.0; crossplane-runtime updated to v1.20.9
原文

OpenFGA

Security2026年6月5日

v1.17.1 is a focused patch fixing two correctness bugs: stale cache reads and broken continuation tokens with pipe characters in type names.

  • securityStale cache reads could return incorrect authorization decisions — patch now

    The iterator cache was using write time rather than query start time as the LastModified anchor, meaning cached entries could persist beyond the intended validity window and serve stale data. In an authorization system, a stale 'allow' decision is a real risk. This is fixed in v1.17.1; upgrade immediately if you run with caching enabled.

  • breakingAudit type names with '|' if pagination was silently breaking

    If your FGA model uses type names containing the pipe character '|', continuation tokens were being deserialized incorrectly. This could cause ListObjects or similar paginated calls to return incomplete or wrong results without throwing obvious errors. Upgrade to v1.17.1 and re-test any pagination flows that touch those type names.

  • enhancementv2Check throttling fallback removed — verify your error handling

    Previously, v2Check would fall back to v1 behavior under throttling or validation errors, masking the actual problem. Now it surfaces those errors directly. If your application swallows check errors silently or assumes fallback behavior, you may start seeing errors that were previously hidden. Test under load before rolling out to production.

主な変更 (5)
  • Fixed stale-read bug in iterator cache: query start time now anchors the LastModified timestamp, preventing cached entries from surviving longer than intended
  • Fixed continuation token deserializer failing when type names contain the '|' character, which would silently break pagination
  • v2Check no longer falls back to v1 behavior when throttling or validation errors occur, enforcing stricter execution semantics
  • Go toolchain bumped to 1.26.4 and grpc-health-probe updated to v0.4.52
  • Caching documentation updated to reflect current behavior
原文

Istio

Networking & Messaging2026年6月4日

Istio 1.29.4 patches a high-severity DoS CVE in Envoy plus six bug fixes, including a critical ambient mode traffic routing bug that could silently send traffic to unhealthy endpoints cluster-wide.

  • securityPatch CVE-2026-47774 immediately — unauthenticated HTTP/2 DoS

    CVE-2026-47774 lets any unauthenticated attacker exhaust Envoy's memory via crafted HTTP/2 requests. Cookie header bytes aren't fully counted in header size validation, and HPACK limits apply only to encoded bytes — not decoded totals. If you're on 1.29.x, upgrade to 1.29.4 now. This is exploitable from outside the mesh wherever Envoy terminates HTTP/2, including ingress gateways.

  • breakingAmbient mode users: audit Services using publishNotReadyAddresses + traffic distribution

    If any Service in your ambient mesh combines publishNotReadyAddresses:true with PreferSameZone or PreferSameNode traffic distribution, every other Service sharing that traffic-distribution preset was receiving healthPolicy:AllowAll — meaning traffic could route to not-ready endpoints across the entire cluster. After upgrading to 1.29.4, verify endpoint health policies are correct. Check ztunnel logs for unexpected AllowAll entries before and after the upgrade to confirm the fix took effect.

  • enhancementCNI on older kernels: nftables fallback now automatic

    Hosts running an nft binary compiled without JSON support were causing the CNI agent to log errors and retry indefinitely on every pod removal — a silent drain on the agent's reliability. The new startup check detects this and switches to iptables automatically. No action needed for most users, but if you've been seeing 'JSON support not compiled-in' errors in CNI agent logs, this fix resolves the root cause.

主な変更 (5)
  • CVE-2026-47774 (CVSS 7.5): Envoy memory exhaustion via crafted HTTP/2 requests exploiting cookie header accounting gaps and HPACK decoded-size limits
  • Ambient mode bug fix: a single Service with publishNotReadyAddresses:true + traffic distribution preset was poisoning healthPolicy for all other Services sharing that preset
  • CNI agent now detects nft binary JSON support at startup and falls back to iptables backend instead of retrying indefinitely on every pod removal
  • Fixed concurrent map writes panic in istio-cni when two pods joined ambient mesh simultaneously on the same node
  • HTTPS listeners via ListenerSet now correctly deliver TLS certificates when the parent Gateway uses manual deployment
原文

Istio

Networking & Messaging2026年6月4日

Istio 1.28.8 patches a high-severity DoS CVE in Envoy's HTTP/2 memory handling, plus three bug fixes covering TLS delivery, route filter status reporting, and a nasty ambient mode health policy contamination bug.

  • securityPatch CVE-2026-47774 immediately if you expose HTTP/2 endpoints

    An unauthenticated attacker can crash your Envoy sidecars by sending specially crafted HTTP/2 requests that bypass header size validation — cookie bytes aren't counted properly, and HPACK limits apply only to encoded size, not decoded. Any cluster accepting external or untrusted HTTP/2 traffic is at risk. Upgrade to 1.28.8 now. If you can't upgrade immediately, consider adding Envoy-level request header size limits or WAF rules to filter malformed HTTP/2 frames as a temporary measure.

  • breakingAudit ambient mode clusters using publishNotReadyAddresses with zonal traffic distribution

    If you run ambient mode and any Service sets publishNotReadyAddresses:true alongside PreferSameZone or PreferSameNode, you've likely been routing traffic to not-ready endpoints across your entire cluster — not just for that Service, but for every Service sharing the same traffic-distribution preset. This is a silent data-plane correctness bug. After upgrading, verify endpoint health behavior across affected Services and check whether any downstream systems received traffic from unhealthy pods during the window this was active.

  • enhancementFix for silent route filter drops enables reliable config debugging

    Previously, HTTPRoute or GRPCRoute filters with invalid header values would vanish from Envoy config without any status signal — making it nearly impossible to diagnose why traffic wasn't behaving as expected. Now Istio reports an invalid filter status, which surfaces in the Gateway API resource status. After upgrading, re-check any routes you may have debugged by guesswork; the explicit status message will clarify whether a header filter was rejected.

主な変更 (4)
  • CVE-2026-47774 (CVSS 7.5): Unauthenticated attackers can exhaust Envoy memory via crafted HTTP/2 requests exploiting gaps in cookie header accounting and HPACK decoded size limits
  • HTTPS listeners on ListenerSet with manual Gateway deployment now correctly deliver TLS certificates
  • HTTPRoute/GRPCRoute filters with invalid header values now report an invalid filter status instead of silently disappearing from Envoy config
  • Critical ambient mode fix: a Service with publishNotReadyAddresses:true plus PreferSameZone/PreferSameNode no longer poisons healthPolicy for all other Services sharing the same traffic-distribution preset
原文

Istio

Networking & Messaging2026年6月4日

Istio 1.30.1 patches a high-severity DoS CVE in Envoy's HTTP/2 handling plus fixes 13 bugs including a CNI agent panic, a traffic distribution poison bug, and a consistent hash load balancing regression.

  • securityPatch CVE-2026-47774 immediately — unauthenticated HTTP/2 DoS

    An attacker can exhaust Envoy's memory using crafted HTTP/2 requests that exploit gaps in Cookie header accounting and HPACK decoded-size limits. No authentication required. If you're running any Istio 1.30.x version, upgrade to 1.30.1 now. Check whether your ingress gateways are exposed to untrusted traffic — those are the highest-risk surfaces.

  • breakingAmbient users with traffic distribution policies: audit Services immediately

    If you use ambient mode with any Service that sets publishNotReadyAddresses: true alongside PreferSameZone or PreferSameNode traffic distribution, the bug caused ztunnel to apply healthPolicy: AllowAll to OTHER unrelated Services sharing that preset. This means traffic has potentially been routed to not-ready endpoints across your cluster. After upgrading to 1.30.1, verify endpoint health state and check whether any unexpected traffic reached unready pods.

  • enhancementRun 'istioctl analyze' after upgrading to catch stale Gateway API CRDs

    Upgrading Istio without updating Gateway API CRDs was silently breaking TLS passthrough in 1.30.0 — istiod would filter resources without any visible error. The new IST0176 check surfaces this. After upgrading, run istioctl analyze and resolve any IST0176 findings before they cause silent routing failures in production.

主な変更 (5)
  • CVE-2026-47774 (CVSS 7.5): Envoy HTTP/2 memory exhaustion via crafted Cookie headers and HPACK decoding — patch immediately
  • Fatal CNI agent panic fixed: concurrent pod additions to ambient mesh on the same node triggered a map write race
  • Ambient mode traffic distribution bug: publishNotReadyAddresses + PreferSameZone/Node could corrupt healthPolicy for unrelated Services cluster-wide
  • New istioctl analyze check IST0176 detects stale Gateway API CRDs below Istio's minimum required version
  • nftables backend now falls back to iptables if the host's nft binary lacks JSON support, ending infinite retry loops on CNI pod removal
原文

Envoy

Networking & Messaging2026年6月4日

v1.38.1 is a security-focused patch addressing two HTTP/2 CVEs and two oauth2 vulnerabilities — upgrade immediately if running HTTP/2 or oauth2 filter.

  • securityPatch HTTP/2 and oauth2 CVEs now — don't wait for your next maintenance window

    Two HTTP/2 CVEs (cookie-bomb memory exhaustion via HPACK and nghttp2 CVE-2026-27135) plus two oauth2 bugs (timing oracle and a crash-as-auth-bypass) make this a must-apply patch. If you're running the oauth2 filter, the HMAC timing side-channel is particularly nasty — attackers could probe HMAC secret validity over time. Upgrade to v1.38.1 immediately. The new HTTP/2 header limit behavior is enabled by default; only revert with `envoy.reloadable_features.http2_include_cookies_in_limits` if you have a specific, documented reason.

  • breakingUpstream failure reason stripped from HTTP response bodies — check your client error handling

    Any downstream client or API consumer that parses or displays the upstream transport failure reason from the HTTP response body will now get nothing. The information is still in access logs. Audit your clients and dashboards before upgrading — if something depends on that response body content, you have a short window to either update the client or re-enable the old behavior with `envoy.reloadable_features.hide_transport_failure_reason_in_response_body`.

  • breakingEDS batch LB rebuild coalescing is now opt-in — test under high-churn service discovery

    Load balancer rebuild coalescing during EDS batch host updates is disabled by default. Environments with large EDS clusters and frequent host churn (e.g., Kubernetes rolling deployments with many pods) may see increased CPU from more frequent LB rebuilds. Benchmark your control-plane interaction patterns after upgrading. Re-enable the old behavior with `envoy.reloadable_features.coalesce_lb_rebuilds_on_batch_update` if you observe performance regression.

主な変更 (5)
  • CVE-2026-47774: HTTP/2 streams now reset on max header list size violations; uncompressed cookies count toward header size/count limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied — affects all HTTP/2 traffic
  • oauth2: timing side-channel in HMAC verification fixed, preventing secret validity leakage
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed on secret mismatch (~1/256 probability), triggering a HeaderString assert
  • Router no longer includes upstream transport failure reason in HTTP response body — only in access logs via %UPSTREAM_TRANSPORT_FAILURE_REASON%
原文

Envoy

Networking & Messaging2026年6月4日

v1.37.3 is a security-focused patch fixing two HTTP/2 CVEs and oauth2 vulnerabilities — upgrade immediately if you use HTTP/2 or oauth2 filter.

  • securityPatch HTTP/2 deployments now for CVE-2026-47774 and CVE-2026-27135

    Two HTTP/2 CVEs are fixed in this release. CVE-2026-47774 enables a cookie-bomb attack that causes excessive memory usage by sending large numbers of cookies that bypass header size limits before this fix. CVE-2026-27135 is an nghttp2-level vulnerability. If you terminate HTTP/2 traffic, upgrade to v1.37.3 immediately. The new cookie-counting behavior is enabled by default; if it causes regressions, you can temporarily disable it with the feature flag `envoy.reloadable_features.http2_include_cookies_in_limits`, but treat that as a short-term workaround only.

  • securityRotate oauth2 HMAC secrets after upgrading

    The timing side-channel in HMAC verification means a patient attacker could have probed whether a given secret was valid. After upgrading, rotate your oauth2 HMAC secrets as a precaution — especially in internet-facing deployments. The AES-CBC crash fix is also relevant: the previous 1/256 spurious decryption success could cause unpredictable auth behavior, not just crashes.

  • breakingCookie-heavy workloads may see HTTP/2 stream resets

    The CVE-2026-47774 fix changes how cookies are counted against `mutable_max_request_headers_kb` and `max_headers_count`. Clients sending many cookies that were previously accepted may now hit limits and receive stream resets. Test your high-cookie traffic patterns in staging before rolling this to production, and review your header size limits to ensure they are set appropriately for your workloads.

主な変更 (5)
  • CVE-2026-47774: HTTP/2 streams now reset when they exceed max header list size; uncompressed cookies count toward header limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied directly to address upstream vulnerability
  • oauth2: timing side-channel in HMAC verification fixed — could previously leak whether an HMAC secret was valid
  • oauth2: AES-CBC decryption crash fixed — a 1/256 chance of spurious success on secret mismatch was tripping an internal assertion
  • load_report: shutdown race condition with ADS stream resolved via proper gRPC stream cleanup
原文

Envoy

Networking & Messaging2026年6月4日

v1.36.7 is a security-focused patch addressing two CVEs in HTTP/2 and an HPACK cookie-bomb attack vector in the oauth2 filter, plus a crash fix. Upgrade immediately.

  • securityPatch HTTP/2 CVEs now — two CVEs affect any HTTP/2-exposed Envoy

    CVE-2026-47774 enables a cookie-bomb attack where crafted HPACK-compressed cookies inflate to exhaust Envoy memory. After patching, cookies count toward `mutable_max_request_headers_kb` and `max_headers_count`. If you see legitimate requests being reset post-upgrade, the escape hatch is the `envoy.reloadable_features.http2_include_cookies_in_limits` flag — but audit your header size limits first rather than disabling the protection. CVE-2026-27135 is an nghttp2-layer fix with no workaround; you must upgrade.

  • securityAudit oauth2 filter deployments for timing and decryption exposure

    Two oauth2 bugs fixed here are subtle but serious. The timing side-channel in HMAC verification could allow an attacker to probe secret validity over many requests. The AES-CBC crash (1/256 chance on bad tokens) is a reliability issue that could be triggered deliberately. If you use the oauth2 filter with token cookies, treat this as a high-priority upgrade — there's no configuration workaround for either issue.

  • breakingReview header size limits before deploying — cookie counting is a behavior change

    Cookies previously excluded from header size accounting now count toward limits. In practice, applications with many or large cookies may hit `max_headers_count` or `mutable_max_request_headers_kb` and get HTTP/2 stream resets where they didn't before. Before rolling out, check your current limit configurations against real traffic cookie sizes. If you need time, the reloadable feature flag lets you defer the behavior change, but don't leave it disabled long-term.

主な変更 (5)
  • CVE-2026-47774: HTTP/2 streams are now reset when they exceed max header list size; uncompressed cookies now count against header size/count limits to block HPACK cookie-bomb attacks
  • CVE-2026-27135: nghttp2 patch applied directly to the HTTP/2 stack
  • oauth2: timing side-channel in HMAC verification closed — could have leaked whether an HMAC secret was valid
  • oauth2: crash fixed where AES-CBC decryption could spuriously succeed (~1/256 probability) on a secret mismatch, triggering a HeaderString assertion
  • load_report: shutdown race condition with ADS stream resolved via proper gRPC stream cleanup
原文

KubeVirt

Orchestration & Management2026年6月3日

KubeVirt v1.8.3 is a patch release with 75 fixes targeting security, authorization, live migration stability, and GPU/DRA device handling — all worth deploying promptly.

  • securityPatch CVE and symlink traversal — upgrade now

    Two security issues demand attention: a gRPC CVE (GHSA-p77j-4mvh-x3m3) and a symlink traversal in the VMExport dir handler. Both are fixed in this release. If you use VMExport or expose VM data externally, treat this upgrade as urgent. Verify no malicious symlinks exist in existing VMExport directories before and after upgrading.

  • breakingRecording rule renames — update dashboards and alerts before upgrading

    kubevirt_vm_created_total and kubevirt_vm_created_by_pod_total are deprecated outright, and multiple other recording rules are being renamed for naming convention compliance. If your Grafana dashboards, alerting rules, or SLO queries reference these metrics, they will silently stop matching after upgrade. Audit your observability stack now and migrate to the new names before rolling this out to production.

  • enhancementLive migration is more reliable — especially on IPv6 and cross-namespace setups

    Several live migration bugs are resolved here: cross-namespace migration on IPv6 clusters now works, duplicate kubevirt_vmi_info series no longer break VirtualMachineStuckOnNode and VMCannotBeEvicted alerts, and GuestAgentPing probes no longer cause spurious pod restarts during migration. If you've been avoiding live migration in IPv6 or multi-namespace environments due to instability, this release clears those blockers.

主な変更 (5)
  • CVE fix: gRPC bumped to 1.79.3 to address GHSA-p77j-4mvh-x3m3
  • Security: symlink traversal vulnerability patched in VMExport directory handler
  • Multi-device VFIO passthrough VMs failing to start ('cannot limit locked memory') now fixed by scaling memlock rlimit per device
  • virt-api SubjectAccessReview truncation bug fixed — deep subresources like vnc/screenshot and sev/* were being authorized against wrong names
  • GuestAgentPing probes no longer trigger virt-launcher pod restarts during live migration, snapshots, or paused VM states
原文

KubeVirt

Orchestration & Management2026年6月3日

KubeVirt v1.7.4 is a patch release fixing a CVE in gRPC, authorization bugs, live migration on IPv6, and probe-triggered pod restarts during VM lifecycle events.

  • securityPatch CVE-2026-33186 by upgrading to v1.7.4 now

    The gRPC dependency was vulnerable to CVE-2026-33186. This is a direct dependency bump to 1.79.3, so upgrading your KubeVirt installation to v1.7.4 is the only required action — no configuration changes needed. Prioritize this if your cluster runs workloads exposed to untrusted input over gRPC.

  • breakingAudit authorization if you use VNC, SEV, or evacuate subresources

    The SubjectAccessReview truncation bug meant RBAC checks were being evaluated against incorrect subresource names — which could have allowed access that should have been denied, or denied access that should have been allowed. After upgrading, verify that your RBAC policies for vnc/screenshot, sev/*, and evacuate/cancel subresources behave as intended. This is not just a security fix; it's a correctness fix for authorization logic.

  • enhancementVMs using GuestAgentPing probes during migrations or pauses should no longer bounce

    If you've been seeing unexpected virt-launcher pod restarts during live migrations or VM pause operations, this was a known probe behavior issue. The fix suppresses false-positive probe failures during pre-copy target, post-copy source, user pause, snapshot, save, and dump states. No action required — just upgrade. If you had workarounds in place (e.g., disabling GuestAgentPing during migrations), you can now remove them.

主な変更 (5)
  • CVE-2026-33186 remediated by bumping google.golang.org/grpc to 1.79.3
  • GuestAgentPing probes no longer trigger virt-launcher pod restarts during live migration, pause, snapshot, save, or dump operations
  • Cross-namespace live migration now works correctly on IPv6 clusters
  • Fixed virt-api SubjectAccessReview bug that caused authorization checks against wrong subresource names for vnc/screenshot, sev/*, and evacuate/cancel endpoints
  • PCI hostdev VMs no longer fail to restart after hotplugging a block volume; PCI topology now gates on machine type, not just architecture
原文

KubeVirt

Orchestration & Management2026年6月3日

KubeVirt v1.6.6 is a patch release fixing 9 notable bugs including a CVE remediation, authorization bypass in virt-api, and broken cross-namespace live migration on IPv6 clusters.

  • securityPatch CVE-2026-33186 by upgrading to v1.6.6

    The grpc dependency was bumped to remediate CVE-2026-33186. If your KubeVirt deployment exposes gRPC endpoints or you're running in a multi-tenant cluster, this is the main reason to push this upgrade now. Check your current version and plan the rollout — this is a patch release so the upgrade path should be straightforward.

  • securityFix incorrect SubjectAccessReview checks in virt-api — audit your RBAC

    virt-api was constructing SubjectAccessReviews with truncated subresource names for deep paths like vnc/screenshot and sev/*. This means authorization checks were running against wrong resource names, potentially allowing or denying access incorrectly. After upgrading, audit any RBAC policies that restrict access to VNC, SEV, or evacuation subresources to confirm they behave as intended.

  • breakingIPv6 clusters: cross-namespace live migration was silently broken — verify after upgrade

    If you're running KubeVirt on an IPv6 cluster and rely on cross-namespace live migrations, those migrations were failing. This fix restores the expected behavior. After upgrading, run a test migration across namespaces in your IPv6 environment to confirm the fix holds before relying on it in production workflows.

  • enhancementPCI hostdev users on mixed machine types: restart reliability improved

    VMs using PCI passthrough hostdevices were failing to restart after hotplugging a block volume. The root cause was PCI topology being gated only on architecture, not machine type. If you manage VMs with PCI hostdevices and have seen unexplained restart failures post-hotplug, this patch resolves it — no config change needed, just the upgrade.

主な変更 (5)
  • CVE-2026-33186 patched via grpc bump — update immediately if running in environments with untrusted gRPC traffic
  • virt-api was truncating subresource paths (vnc/screenshot, sev/*, evacuate/cancel) in SubjectAccessReviews, causing auth checks to silently pass against wrong subresource names
  • Cross-namespace live migration now works correctly on IPv6 clusters — previously broken
  • PCI topology now gated on machine type instead of architecture alone, fixing VM restart failures after hotplug block volume with PCI hostdevices
  • AgentUpdated events now fire only on actual domain info changes, reducing unnecessary event noise in clusters using QEMU guest agent
原文

Jaeger

Observability2026年6月3日

v2.19.0 ships the new /api/v3/trace-summaries endpoint and migrates the UI search to use it, plus TLS for ClickHouse and a configurable gRPC max message size.

  • breakingUI search migration to /api/v3/trace-summaries requires compatible backend

    The UI now exclusively uses /api/v3/trace-summaries for search results. If you run a custom or older storage backend via the gRPC storage plugin, it must implement the SummaryReader interface or the fallback full-trace aggregation path kicks in. Verify your storage plugin supports this before upgrading. If you pin the UI separately from the backend, do not upgrade the UI to this version without also upgrading the backend to v2.19.0.

  • breakingRename query.num_traces to query.search_depth in any API v3 clients

    Any scripts, dashboards, or integrations that pass query.num_traces to the v3 API will still work via the deprecated alias, but you should migrate to query.search_depth now. The deprecated alias will eventually be removed. Also check for snake_case HTTP query params — camelCase is now the canonical form, with snake_case kept as deprecated aliases.

  • enhancementSet max_recv_msg_size_mib if you see gRPC message size errors in remote storage

    Teams using the gRPC remote storage plugin with large traces often hit the default gRPC message size cap. The new max_recv_msg_size_mib config option on the gRPC storage client lets you raise this limit explicitly. If you've been seeing 'received message larger than max' errors from your storage backend, configure this value in your Jaeger deployment config to fix it without workarounds.

  • enhancementEnable TLS for ClickHouse storage in production

    The ClickHouse storage plugin now supports TLS configuration. If you're running ClickHouse as a Jaeger backend in any environment where the connection crosses a network boundary, configure TLS now rather than relying on network-level controls alone.

主な変更 (6)
  • UI search now calls /api/v3/trace-summaries instead of fetching full traces — this is a breaking UI change requiring a backend that supports the new endpoint
  • New GET /api/v3/trace-summaries HTTP endpoint and matching gRPC FindTraceSummaries handler for lightweight search results without full trace payloads
  • query.num_traces renamed to query.search_depth in API v3; old name kept as deprecated alias — update any tooling or scripts using the old parameter
  • ClickHouse storage plugin now supports TLS configuration
  • gRPC storage client gains max_recv_msg_size_mib config to handle large trace payloads that previously hit message size limits
  • Elasticsearch index templates now include missing scope and link fields — existing indices may need reindexing
原文

CRI-O

Kubernetes Core2026年6月3日

CRI-O v1.36.1 is a small patch fixing a container status regression where ImageRef flipped to a raw image ID after restart, plus a debug log verbosity reduction.

  • breakingUpgrade if you rely on ImageRef for image identity after restarts

    Before this fix, CRI-O restarts caused ImageRef in container status to switch from a repo@digest string to a raw image ID. Any tooling that parses ImageRef — admission controllers, audit pipelines, image policy enforcers — could silently receive the wrong format and fail validation or produce incorrect audit records. If you run workloads where CRI-O restarts are common (e.g., upgrades, node reboots), patch to v1.36.1 immediately and validate your tooling handles the repo@digest format consistently.

  • enhancementExpect quieter debug logs under high-frequency List* RPC calls

    Clusters with aggressive monitoring or reconciliation loops generating frequent ListContainers/ListPodSandboxes calls were generating excessive debug log volume, which hurt CRI-O performance under high load. After this patch, debug logging is less chatty for these paths. If you previously reduced log levels specifically to work around this noise, you can now safely re-enable debug logging without the same overhead.

主な変更 (4)
  • Fixed ImageRef regression: container status now correctly returns repo@digest format (not raw image ID hash) after CRI-O restarts
  • Reduced log verbosity for List* RPC calls, cutting noise in debug-level logging under frequent polling
  • No dependency changes — pure bug fix release
  • SLSA provenance, OpenVEX, and SPDX SBOMs published for supply chain verification
原文

CRI-O

Kubernetes Core2026年6月3日

CRI-O v1.34.9 fixes two concurrency bugs: a panic from racing StopContainer calls and a spurious exit code 255 on fast-exiting containers. Pure bug-fix release, no dependency changes.

  • breakingPanic risk on concurrent StopContainer — upgrade if you drain nodes or run rapid pod teardowns

    If your cluster drains nodes, runs batch workloads with rapid pod churn, or uses any automation that issues multiple StopContainer calls in parallel, the pre-fix versions could panic CRI-O, taking down the container runtime on that node. This is a hard crash, not a graceful error. Upgrade to v1.34.9 immediately on any node where concurrent stop operations are plausible.

  • enhancementExit code 255 false positives are gone — review alerting and restart policies

    Exit code 255 is often treated as a runtime-level failure in monitoring stacks and can trigger unnecessary pod restarts or alerts. If you have OOMKill or fast-exit workloads (init containers, short-lived jobs) and have seen spurious 255 exit codes in your logs or metrics, those were false positives from this race. After upgrading, audit your alerting rules and CrashLoopBackOff history — you may find some pods were incorrectly flagged.

主な変更 (3)
  • Fixed panic caused by concurrent StopContainer calls sending on an already-closed channel
  • Fixed race condition that incorrectly reported exit code 255 for containers that exited quickly
  • No dependency additions, changes, or removals
原文

CRI-O

Kubernetes Core2026年6月3日

Single-fix patch release resolving a race condition that caused CRI-O to incorrectly report exit code 255 for fast-exiting containers.

  • breakingFalse exit code 255 may have masked real container failures

    If your monitoring, alerting, or restart policies key off exit code 255, you may have been misclassifying fast-exiting containers as crashed. After upgrading, audit any runbooks or OOMKill/CrashLoopBackOff workflows that treat exit code 255 as a specific signal — the real exit codes from short-lived containers will now surface correctly.

  • enhancementUpgrade straightforward for 1.33.x users — no config or dependency changes

    This is a clean drop-in replacement for v1.33.12. No dependency bumps, no config changes required. Plan a rolling node drain and replace the CRI-O binary. Prioritize nodes running batch jobs, init containers, or short-lived workloads where fast exits are common and exit code accuracy matters most.

主な変更 (3)
  • Fixed race condition causing exit code 255 misreport when containers exit quickly
  • No dependency changes — pure bug fix targeting a specific runtime edge case
  • Affects amd64, arm64, ppc64le, and s390x builds equally
原文

containerd

Kubernetes Core2026年6月2日

Security patch release fixing CVE-2026-46680 plus runtime bugs in sandbox service, AppArmor compatibility, and OCI USER spec handling.

  • securityPatch CVE-2026-46680 immediately

    CVE-2026-46680 is the primary driver for this release. Review the GHSA advisory to understand the attack surface and severity. If you run containerd 2.1.x in any environment, upgrading to 2.1.8 should be your next deployment task. There are no dependency changes, so the upgrade path is straightforward.

  • breakingOCI USER out-of-range values now fail explicitly — check your container specs

    Previously, out-of-range USER values in OCI specs could silently fall through to username/group lookups, masking misconfigurations. Now containerd returns an explicit error. If any of your containers or image builds set numeric USER values outside valid UID/GID ranges, they will start failing visibly after this upgrade. Audit your specs before rolling out to production.

  • enhancementUpgrade if you run AppArmor < 3.0 or use sandbox-based runtimes

    The conditional AppArmor abi fix is a real blocker for anyone on older AppArmor (e.g., Ubuntu 20.04 ships 2.x). The sandbox service bug also affects event-driven workflows and correct sandbox creation — silent misconfiguration is worse than a visible error. If you use Kata Containers or any sandbox-based runtime, this fix directly affects you.

主な変更 (5)
  • CVE-2026-46680 addressed — check the advisory for scope and impact before upgrading
  • OCI spec now returns explicit errors for out-of-range USER values instead of silently triggering unexpected username/group lookups
  • Sandbox service bugs fixed: Create fields were not being forwarded correctly and event topics were broken
  • AppArmor abi field now set conditionally, restoring compatibility with AppArmor versions below 3.0
  • Volatile snapshotter now accepts both 'volatile' and 'fsync=volatile' mount option styles
原文

Rook

Storage & Data2026年6月2日

Rook v1.20 hands CSI driver management to the Ceph CSI operator — a breaking change for anyone with custom CSI config — while adding encrypted OSD resize, Vault Agent SSE-S3, and stabilizing concurrent cluster reconciliation.

  • breakingMigrate CSI config to Ceph-CSI operator before customizing anything

    Existing clusters will survive the upgrade with previously applied CSI settings, but any future CSI changes must go through the Ceph-CSI OperatorConfig and Driver CRs — not the Rook configmap. Helm users need the ceph-csi-drivers chart for operator settings (custom images stay in rook-ceph chart values). Audit your current CSI customizations now and plan the migration path before upgrading. Don't wait until you need to change a CSI setting post-upgrade to figure this out.

  • enhancementAudit CRUSH rules before upgrading if you rely on custom ones

    Rook now deletes unused CRUSH rules by default on mgr startup. If your environment has CRUSH rules that appear unused but are intentionally retained for failover or manual placement, set ROOK_DELETE_UNUSED_CRUSH_RULES=false in the operator config before upgrading. Losing custom CRUSH rules silently is the kind of thing that only hurts when you need them most.

  • enhancementEnable concurrent cluster reconciliation if running multiple Ceph clusters

    ROOK_RECONCILE_CONCURRENT_CLUSTERS is now marked stable after testing in prior releases. If you manage multiple CephCluster objects in one operator, enable this setting to reduce reconciliation bottlenecks. This is especially useful in multi-tenant or multi-cluster operator deployments where one slow cluster previously blocked others.

主な変更 (5)
  • Breaking: CSI settings removed from Rook operator configmap and Helm chart; new installs must use Ceph-CSI OperatorConfig and Driver CRs
  • Encrypted host-based OSDs now auto-expand when the underlying disk is resized (encryptedDevice: true, non-PVC clusters)
  • SSE-S3 server-side encryption now supports HashiCorp Vault Agent authentication for CephObjectStore
  • Concurrent cluster reconciliation (ROOK_RECONCILE_CONCURRENT_CLUSTERS) is now stable
  • Unused CRUSH rules deleted by default after mgr starts; set ROOK_DELETE_UNUSED_CRUSH_RULES=false to opt out
原文

NATS

Networking & Messaging2026年6月2日

NATS v2.14.2 is a focused stability release fixing multiple JetStream data integrity issues, lock release bugs, and protocol corruption risks — upgrade if you run JetStream at any meaningful scale.

  • securityProtocol corruption vectors closed — critical for WebSocket and JetStream users

    Two protocol corruption bugs were fixed: one in $JS.ACK subject rewriting and one in compressed WebSocket client buffer handling. Either could produce malformed frames that corrupt stream state or client sessions. If you expose NATS WebSocket endpoints or rely heavily on JetStream ACKs, treat this as a security-adjacent stability issue and prioritize the upgrade.

  • breakingTwo separate lock-release bugs can cause silent hangs — patch now

    Both the filestore and consumer code paths had cases where locks were never released after specific error conditions (write errors and start sequence errors). In production this means stuck consumers or hung filestore operations that don't recover without a restart. If you've seen unexplained JetStream stalls, this is likely why. Upgrade to v2.14.2 immediately.

  • enhancementHigh subject-count streams no longer risk CPU spikes — no config change needed

    The filestore block skip check was triggering runaway CPU on streams with very high subject counts. The fix is automatic after upgrade — no configuration changes required. If you've been working around this with stream design compromises (e.g., artificially limiting subjects per stream), you can revisit those decisions after upgrading.

主な変更 (5)
  • Protocol-level corruption fixed in two separate paths: $JS.ACK subject rewriting and compressed WebSocket buffer misuse
  • JetStream filestore lock bug fixed — a write error could leave the lock unreleased, causing hangs
  • Consumer lock also fixed — a start sequence error path failed to release its lock
  • Runaway CPU fix: filestore no longer runs block skip checks on streams with extremely high subject counts
  • Raft peer tracking corrected after inactivity stalls during catchup, and peer set drift fixed after online node removal
原文

NATS

Networking & Messaging2026年6月2日

v2.12.10 is a focused bug-fix release addressing protocol corruption risks, JetStream Raft/quorum issues, and a CPU runaway bug in high-cardinality streams.

  • securityUpdate x/crypto and nkeys immediately

    This release bumps golang.org/x/crypto to v0.52.0 and nkeys to v0.4.16. These libraries handle cryptographic operations in NATS auth flows. Don't wait for scheduled maintenance — patch now, especially if your clusters are internet-exposed or use decentralized auth.

  • breakingProtocol corruption fixes require prompt upgrade for WebSocket and JetStream users

    Two separate protocol-level corruption bugs are fixed here: one in compressed WebSocket clients, one in $JS.ACK subject rewriting. Either can silently corrupt message framing. If you run WebSocket clients or any JetStream workload with acknowledgements, staying on 2.12.9 or earlier is a real risk. Upgrade servers first, then clients.

  • enhancementHigh-cardinality JetStream streams get a CPU safety fix — verify your config

    The block skip check on streams with very high subject counts could cause runaway CPU. That check is now disabled for those cases. If you've been seeing unexpected CPU spikes on JetStream nodes with streams containing millions of subjects, this is likely the culprit. After upgrading, also review Counter stream and message schedule configs — new constraints are enforced that may reject previously accepted but incorrect configurations.

主な変更 (5)
  • Fixed protocol-level corruption from $JS.ACK subject rewriting and compressed WebSocket buffer misuse — both are data-safety issues
  • Raft peer tracking fixed after inactivity stalls during catchup, and peer-set drift after online node removal corrected
  • Quorum calculation bug fixed when gateway URLs resolve to multiple IPs — affects multi-datacenter deployments
  • Filestore no longer runs CPU hot on streams with extremely high subject counts (block skip check removed)
  • Go 1.25.10 and updated x/crypto, nkeys, and jwt/v2 dependencies
原文

Longhorn

Storage & Data2026年6月2日

Longhorn v1.12.0 promotes the V2 Data Engine to GA, ships dual-stack/IPv6 support, and fixes critical instance-manager panics and replica scheduling bugs that caused cascading volume failures.

  • breakingMigrate V2 backing image volumes before upgrading

    Any V2 volume created from a backing image cannot be upgraded in-place. Before upgrading to v1.12.0, back up each affected volume, delete it, and restore from backup — the restored volume has no backing image dependency. Skipping this step will cause attach failures post-upgrade. Use CDI for future VM disk image imports.

  • breakingDetach V2 volumes before patch-level upgrades

    V2 volumes do not support live upgrades between v1.12.x patch releases. Plan maintenance windows to detach all V2 volumes before applying patch upgrades. Live upgrade across minor versions (v1.12 to v1.13) is planned but not yet available.

  • breakingEncrypted migratable volumes need engine image upgrade before live migration

    The LUKS2 header pre-allocation fix for encrypted volumes introduces a constraint: live migration of encrypted volumes requires engine image CLI API version 12 or later. Upgrade the engine image to v1.12.0+ before attempting live migration; otherwise migration will fail.

  • enhancementReview SPDK CPU allocation on existing V2 deployments

    The default CPU mask now uses 2 cores instead of 1. For clusters already running V2 volumes with a manually set single-core mask, consider increasing it — single-core configs under heavy I/O cause RPC starvation and operational instability. On ARM64 with NVMe-backed node disks, avoid multi-core SPDK configs for now and use AIO-backed disks until the stuck I/O bug is resolved.

  • enhancementEnable dual-stack networking — but verify node IP family ordering first

    Dual-stack Kubernetes clusters are now supported, but only when all nodes have IP families configured in the same order (all IPv4-first or all IPv6-first). Audit your node network configs before enabling. Mixed ordering causes replica-to-engine connectivity failures with no obvious error surface.

主な変更 (6)
  • V2 Data Engine reaches GA — but live upgrades between v1.12 patch releases require volume detach first; live upgrade support comes in v1.13
  • V2 Backing Images removed; migrate by backup/restore via CDI before upgrading or face volume attach failures
  • Default SPDK CPU mask changed from 1 core (0x1) to 2 cores (0x3) to prevent RPC starvation under heavy I/O
  • Topology-aware PV provisioning added via csi-allowed-topology-keys setting and strictTopology StorageClass parameter
  • CSIStorageCapacity bug fixed — compute-only nodes no longer report zero capacity and block WaitForFirstConsumer scheduling
  • Instance-manager panic during replica rebuild storms fixed, eliminating cascading volume detachments across PVCs
原文

Knative

Orchestration & Management2026年6月2日

Knative Serving v1.22.1 is a focused patch fixing an idle connection leak in the network prober, a memory leak in webhook matchers, and adding a 3MiB webhook request body size limit.

  • securityApply the 3MiB webhook body limit immediately

    The new hard cap on webhook request body size closes a potential vector for memory exhaustion via oversized payloads. If you run Knative Serving in a multi-tenant or externally-exposed environment, upgrade to v1.22.1 now — don't wait for your next maintenance window.

  • breakingWebhook requests larger than 3MiB will now be rejected

    If any of your workloads submit unusually large objects to Knative's admission webhooks (e.g., Services or Configurations with very large env var blocks or annotations), those requests will start failing after this upgrade. Audit object sizes before rolling out, and trim any oversized metadata or spec fields.

  • enhancementUpgrade to stop slow memory and connection accumulation

    The prober connection leak and the expired-matcher memory leak are both cumulative — they degrade pod health gradually over time rather than causing immediate crashes. Clusters that have been running v1.22.0 for a while may already be affected. After upgrading, watch activator and webhook pod memory trends to confirm they stabilize.

主な変更 (3)
  • Fixed idle connection leak in the networking prober component
  • Fixed memory leak caused by expired matchers in knative/pkg
  • Webhook request body size is now capped at 3MiB to prevent unbounded memory consumption
原文

etcd

Kubernetes Core2026年6月1日

etcd v3.6.12 is a patch release in the 3.6 series. The release notes are sparse — check the full CHANGELOG for specifics before upgrading.

  • breakingRead the CHANGELOG before upgrading

    The release notes for v3.6.12 are essentially empty — no changes are listed inline. Before upgrading any etcd cluster, pull the full CHANGELOG-3.6.md from the repo and review all entries since your current version. The official upgrade guide explicitly warns of potential breaking changes in the 3.6 series.

  • enhancementVerify container registry targets in your pipelines

    etcd maintains two registries: gcr.io is primary, quay.io is secondary. If your CI/CD or deployment manifests pin to quay.io, confirm it stays in sync with the primary. For production clusters, prefer gcr.io/etcd-development/etcd to avoid lag.

主な変更 (4)
  • Patch release in the 3.6.x maintenance track
  • Full change details available in the CHANGELOG-3.6.md, not included in release notes
  • Upgrade guide should be reviewed prior to deployment, as breaking changes may exist
  • Container images available on gcr.io/etcd-development/etcd (primary) and quay.io/coreos/etcd (secondary)
原文
← 新しい古い →