RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

Litmus

Observability2026年3月18日

Litmus 3.27.0 ships Job targeting for chaos experiments and fixes a cluster of stability bugs: nil pointer crashes, GitOps deadlocks, race conditions, and probe detection failures.

  • breakingGitOps two-way sync was silently broken — verify your sync state after upgrading

    The GitOps sync handler goroutine was disabled, meaning changes in Git were not propagating back to Litmus in two-way mode. After upgrading to 3.27.0, manually trigger a sync and confirm experiment state matches your Git source of truth. Any drift that accumulated should be reconciled.

  • enhancementTarget Kubernetes Jobs in chaos experiments

    If your team runs batch workloads or CI pipelines as Kubernetes Jobs, you can now inject chaos directly into them. Update your experiment manifests to reference Job resources and validate resilience of batch processing paths — something previously impossible without workarounds.

  • enhancementMultiple nil pointer and race condition fixes reduce silent failures

    At least three separate nil pointer dereferences are fixed in this release (subscriber, QueryServerVersion, YAML parser), plus experiment run race conditions. If you've seen intermittent crashes or experiments stuck in inconsistent states, upgrading is the straightforward fix — no config changes needed.

主な変更 (5)
  • New: Kubernetes Jobs can now be targeted in chaos experiments, expanding workload coverage beyond Deployments and StatefulSets
  • 503 returned when MongoDB is down, enabling probes to correctly detect infrastructure failures instead of hanging
  • Subscriber crash on Workflow ADD events (nil pointer dereference) fixed — previously could silently break experiment scheduling
  • GitOps deadlock in GitMutexLock.Unlock resolved, and the GitOps sync handler goroutine re-enabled to restore two-way sync
  • CMD probe command limit raised from 1024 characters, unblocking complex probe scripts
原文

Backstage

CI/CD & App Delivery2026年3月17日

v1.49.0 is a landmark release: the New Frontend System hits 1.0 RC, the CLI becomes extensible via modules, and there are multiple breaking changes in UI components, integrations, and entity cards requiring migration work.

  • breakingMigrate entity cards and BUI components before upgrading `@backstage/plugin-catalog`

    The major version bump on `@backstage/plugin-catalog` means direct action is required. Remove all `variant` prop usage from EntityAboutCard, EntityLinksCard, EntityLabelsCard, GroupProfileCard, and UserProfileCard. Wrap your app in a `BUIProvider` inside a React Router context — without it, Link, ButtonLink, Tabs, Menu, and Table lose client-side navigation. Also rename any CSS selectors using old `bui-HeaderPage` class patterns and camelCase data attributes. Audit custom components that implement the old `Checkbox` `selected`/`indeterminate` props and switch to `isSelected`/`isIndeterminate`.

  • breakingRemove all deprecated Bitbucket and legacy integration config immediately

    The old `bitbucket` config key and Azure DevOps `token`/`credential` fields are gone — not deprecated, gone. If your `app-config.yaml` still references these, your backend will fail to start after upgrading. Replace `bitbucket` with `bitbucketCloud` or `bitbucketServer`, migrate Azure DevOps to the `credentials` array, and update any Gerrit URL utility calls. Check scaffolder templates too, as `parseRepoUrl` no longer handles `bitbucket`.

  • enhancementAdd `@backstage/cli-defaults` as a devDependency now, not later

    The CLI module system is live, and the fallback to built-in commands already emits a deprecation warning. Add `@backstage/cli-defaults` to your root `devDependencies` today to silence the warning and future-proof your setup before the fallback is removed entirely. If you maintain custom CLI tooling, look at `createCliModule` in `@backstage/cli-node` to package it properly as a first-class CLI extension.

主な変更 (7)
  • New Frontend System reaches 1.0 RC — new apps use it by default, `--next` flag replaced by `--legacy`
  • Multiple breaking UI changes in Backstage UI (BUI): Checkbox props renamed, CSS classes renamed, `BUIProvider` now required for routing, deprecated types removed
  • Entity cards (`EntityAboutCard`, `EntityLinksCard`, etc.) migrated from MUI to BUI with `variant` prop removed — `@backstage/plugin-catalog` receives a major version bump
  • Deprecated Bitbucket integration and legacy fields fully removed from `@backstage/integration`, `@backstage/backend-defaults`, and scaffolder packages
  • CLI refactored into modular `cli-module` packages — add `@backstage/cli-defaults` as a devDependency now to avoid future fallback removal warning
  • Predicate-based catalog filtering added to `queryEntities()`, `getEntitiesByRefs()`, and `getEntityFacets()` via new POST endpoints
  • Permission checks batched per tick for better performance on permission-heavy pages
原文

Kubescape

Security2026年3月17日

Kubescape v4.0.3 is a small patch release adding a --grype-db-url flag for offline/airgapped Grype database usage, plus a bug fix for missing host errors and dependency bumps.

  • securitygo-git updated to v5.16.5 — pull this upgrade promptly

    go-git patch releases frequently address vulnerabilities in git protocol parsing. Review the go-git v5.16.5 changelog to confirm whether any CVEs are addressed, and prioritize this upgrade if your Kubescape usage involves scanning git repositories or if you embed Kubescape as a library.

  • breakingMissing host now returns an error — check your error handling

    Previously, a missing host in scan targets silently returned nil instead of an error. If your pipelines or scripts were treating a zero-exit-code as success in these cases, they may now surface failures they were previously ignoring. Test your scan workflows after upgrading to make sure error handling behaves as expected.

  • enhancementUse --grype-db-url for airgapped or private mirror setups

    If you run Kubescape in environments without direct internet access, the new --grype-db-url flag lets you point image scans at an internal Grype DB mirror. Set this in your CI pipelines or operator configs now rather than patching environment variables or workarounds you may have hacked together previously.

主な変更 (5)
  • New --grype-db-url flag on 'kubescape scan' lets you override the default Grype vulnerability database URL
  • Fixed a bug where a missing host did not return a proper non-nil error, which could silently swallow scan failures
  • go-git bumped to v5.16.5 (likely security/bug fixes in git operations)
  • OpenTelemetry SDK bumped to 1.40.0
  • Added debug logging for scanInfo.ListingURL to aid troubleshooting Grype DB fetches
原文

Lima

Kubernetes Core2026年3月17日

Lima v2.1.0 adds experimental macOS and FreeBSD guest support, renames the guest home directory path, and consolidates disk files — a release with real migration considerations alongside useful new features.

  • breakingDisk file consolidation means no downgrade path

    Once an instance runs under Lima v2.1, its disk format is incompatible with v2.0 and v1.x. Snapshot or back up critical VM instances before upgrading. If you manage shared Lima environments or CI pipelines that pin Lima versions, ensure all consumers upgrade together — you can't roll back individual instances.

  • breakingHardcoded paths to `/home/${USER}.linux` will break

    The guest home directory is now `/home/${USER}.guest`. A symlink covers the old path, so most things will keep working. However, any scripts, dotfiles, or tooling that hardcodes the `.linux` suffix — particularly in non-symlink-aware contexts like bind mounts or container volume paths — should be audited and updated.

  • enhancementUse `limactl shell --sync` for AI agent workflows

    If you're running AI coding agents (e.g., Claude Code, Aider) inside Lima shells, `--sync` prevents the agent from accidentally modifying host files by syncing the working directory into the guest context. Adopt this flag in any automation or agent harness that launches `limactl shell` — it's a low-friction safety net.

  • enhancementk3s template now supports multi-node clusters

    The built-in `k3s` template can now spin up multi-node clusters, which makes local Kubernetes testing significantly more realistic. If you've been working around this limitation with custom configs or alternative tools like Rancher Desktop, it's worth re-evaluating the native template.

主な変更 (6)
  • Experimental macOS and FreeBSD guest support via new templates (`template:macos`, `template:freebsd`)
  • Guest home directory renamed from `/home/${USER}.linux` to `/home/${USER}.guest`; old path symlinked for compatibility
  • `basedisk` + `diffdisk` consolidated into a single `disk` file — instances from v2.0/v1.x boot fine in v2.1, but not the reverse
  • New `limactl shell --sync` flag to isolate AI agent shell sessions from host filesystem
  • Host-to-guest time synchronization added in the hostagent; guestagent binary shrunk from 14MB to 6.1MB
  • QEMU is now the default hypervisor for non-native architectures
原文

KubeVirt

Orchestration & Management2026年3月16日

KubeVirt v1.7.2 is a patch release fixing 7 bugs across networking, storage, monitoring, and backup — no new features, but several fixes that could unblock production issues.

  • breakingCheck VMI specs if you're running mixed NIC configurations

    The infinite status loop fix targets VMIs where the primary network interface appears after a secondary one in the spec. If you have VMs stuck in update churn or virt-controller/virt-handler showing abnormal CPU/log volume, this is likely the cause. Upgrade to v1.7.2 and verify your VMI specs list the primary interface first to avoid re-triggering the issue on older clusters.

  • enhancementWindows VM backup users should update for reliable Velero integration

    The QuiesceFailed-to-QuiesceTimeout change plus a 60s pre-backup hook timeout directly addresses flaky Windows VSS snapshot behavior during Velero backups. If you're backing up Windows VMs and seeing intermittent quiesce failures, this patch resolves it. Review your Velero backup policies to ensure the hook timeout aligns with your SLAs.

  • enhancementGoogle Cloud NetApp Volumes storage migration is unblocked

    If you're running VMs on GCP with NetApp Volumes and tried live storage migration, it was silently failing. This patch fixes that. Test your migration workflows after upgrading — especially if you deferred any storage moves because of this bug.

主な変更 (7)
  • Fixed infinite VMI status update loop when primary NIC is listed after secondary interfaces in the VMI spec
  • Fixed PCI address stability across upgrades when using v3 hotplug port topology
  • Fixed storage migration failures with Google Cloud NetApp Volumes
  • Corrected kubevirt_allocatable_nodes metric to exclude non-schedulable nodes
  • Replaced QuiesceFailed with QuiesceTimeout for Windows VSS backups, adding a 60s Velero pre-backup hook timeout
  • Fixed low-replica alerts to use the deployment's defined replica count as the baseline
  • Fixed socket devices failing to update health status when Persistent Reservations is enabled
原文

KubeVirt

Orchestration & Management2026年3月16日

KubeVirt v1.6.4 is a patch release with 108 changes targeting stability: a CVE fix in crypto, several hotplug/migration bugs squashed, and new vCPU queue alerting.

  • securityPatch CVE-2025-47913 — upgrade to v1.6.4 now

    CVE-2025-47913 affects the golang/x/crypto dependency. This release pins it to OpenShift's patched fork. If you're running any v1.6.x release before v1.6.4, you're exposed. Upgrade immediately — no workaround exists short of patching the binary yourself.

  • breakingCross-vendor live migrations are now blocked

    KubeVirt will now explicitly prevent live migrations between nodes with different CPU vendors (e.g., Intel to AMD). If your cluster has mixed CPU vendors and you've been relying on cross-vendor migration — intentionally or not — audit your node topology before upgrading. Migrations that previously succeeded may now fail with an error.

  • enhancementAdd vCPU queue alerts to your monitoring setup

    Two new alerts ship in this release: GuestPeakVCPUQueueHighWarning and GuestPeakVCPUQueueHighCritical. If you're running KubeVirt with Prometheus, check that these alerts are picked up by your alerting rules. They give you early warning on guest CPU starvation, which is otherwise invisible until VMs start misbehaving under load.

主な変更 (5)
  • CVE-2025-47913 remediated by redirecting golang/x/crypto to the patched openshift/golang-crypto module
  • PCI address stability fixed across upgrades when using v3 hotplug port topology
  • Block volume hotplug no longer breaks autoattachVSOCK
  • New Prometheus alerts: GuestPeakVCPUQueueHighWarning and GuestPeakVCPUQueueHighCritical for guest CPU saturation visibility
  • Memory overcommit is now recalculated on live migration, and cross-vendor migrations are explicitly blocked
原文

Flux

CI/CD & App Delivery2026年3月16日

Flux v2.8.3 fixes a critical helm-controller regression that broke templating for charts containing YAML separators or embedded content.

  • breakingUpgrade immediately if using Helm charts with YAML separators

    The regression in v2.8.2 breaks templating for common chart patterns like multi-document YAML files and embedded scripts. Review your Helm deployments for failures and upgrade to v2.8.3 now. Follow the official upgrade procedure for Flux v2.7+ to avoid migration issues.

  • enhancementValidate Helm chart deployments after upgrade

    After upgrading, check that previously failing Helm releases now deploy successfully. Pay special attention to charts that embed certificates, scripts, or use multiple YAML documents. This fix restores functionality that may have silently failed in recent versions.

主な変更 (4)
  • Fixed helm-controller templating errors when charts contain '---' separators
  • Resolved issues with embedded scripts and CA certificates in ConfigMaps
  • Added target branch name functionality to CLI update operations
  • Updated toolkit components for improved compatibility
原文

Argo

CI/CD & App Delivery2026年3月16日

Argo CD 3.3.4 delivers critical bug fixes for token refresh handling and git-lfs support, plus enhanced security documentation - a maintenance release that improves operational stability.

  • securityVerify signed release assets

    All container images now include cosign signatures and SLSA Level 3 provenance. Use the official verification documentation to validate your container images before deployment, particularly in security-sensitive environments.

  • breakingReview token refresh configurations

    The token refresh fix resolves parsing errors that could affect component behavior. Check your existing token configurations and monitor for any authentication issues after upgrading, especially in multi-component setups.

  • enhancementUpgrade for ppc64le architecture support

    If running on ppc64le systems, this release fixes git-lfs functionality that was previously broken due to missing checksums. Plan your upgrade to restore full git-lfs capabilities on these architectures.

主な変更 (5)
  • Fixed token refresh threshold parsing errors affecting unrelated components
  • Added missing git-lfs installer checksum for ppc64le architecture support
  • Updated OpenTelemetry SDK dependencies for better observability
  • Enhanced documentation for cluster version changes and migration guidance
  • Maintained SLSA Level 3 compliance with signed container images and provenance
原文

KServe

AI & ML2026年3月13日

v0.17.0 delivers substantial LLM-focused improvements with the new LLMInferenceService beta, enhanced storage parallelization, vLLM 0.15.1 upgrade, and important CVE fixes affecting production deployments.

  • securityApply critical CVE patches immediately

    This release addresses several high-impact CVEs including path traversal (storage-initializer), HTTP parser vulnerabilities (h11, starlette), and cryptography subgroup attacks. Update to v0.17.0 promptly, especially if you're using storage-initializer or external model downloads. Review your current CVE scanning results against the patched versions.

  • breakingPlan LLMInferenceService migration path

    The new LLMInferenceService CRD introduces a dedicated API for LLM workloads with different semantics than standard InferenceService. If you're running LLM models, evaluate migrating to this new resource type for better autoscaling, routing, and operational features. The CRD includes breaking changes in API structure.

  • enhancementLeverage parallel storage downloads for faster deployments

    Storage-initializer now downloads blobs in parallel from S3 and Azure, dramatically reducing model loading times for large models. This is particularly beneficial for LLM workloads. No configuration changes needed - the improvement is automatic upon upgrade.

主な変更 (5)
  • Introduced LLMInferenceService CRD with webhooks, autoscaling support, and comprehensive Gateway API integration
  • Added parallel blob downloads for S3 and Azure storage, significantly improving model loading performance
  • Upgraded vLLM runtime to 0.15.1 with enhanced startup probes and configuration flexibility
  • Fixed multiple CVEs including path traversal, HTTP parser vulnerabilities, and cryptography issues
  • Added OpenVINO model server runtime and predictive inference server for expanded model format support
原文

Longhorn

Storage & Data2026年3月13日

Longhorn v1.11.1 delivers critical bug fixes including a major memory leak in instance manager pods and backup failures with S3-compatible storage, making it an urgent upgrade for v1.11.0 users.

  • securityBackup restore functionality compromised

    S3-compatible backup targets (Storj, GCS) were failing due to AWS SDK v2 authorization issues. Test your backup and restore workflows after upgrading, especially if using non-AWS S3 endpoints. Verify large backup transfers complete successfully.

  • breakingUrgent upgrade required for v1.11.0 users

    Users running v1.11.0 experiencing high memory usage in instance manager pods must upgrade immediately. The memory leak can cause cluster instability and pod evictions. Plan upgrade maintenance window and monitor memory usage during rollout.

  • enhancementImproved scheduling with topology awareness

    New CSI topology-aware nodeAffinity controls provide better volume placement. Review your storage class configurations to leverage allowedTopologies and strictTopology settings for multi-zone deployments and specific node scheduling requirements.

主な変更 (5)
  • Fixed critical memory leak in longhorn-instance-manager pods caused by proxy connection leaks
  • Resolved AWS SDK v2 compatibility issues causing backup failures to S3-compatible storage like Storj and GCS
  • Enhanced V2 Data Engine with improved fast replica rebuild and clone functionality
  • Added CSI topology-aware PV nodeAffinity control for better scheduling
  • Fixed storage double-counting that caused scheduling failures when multiple replicas exist on same node
原文

Strimzi

Networking & Messaging2026年3月12日

Strimzi 0.45.2 is the final patch release for the 0.45.x branch, focusing on critical CVE fixes and Kafka 3.9.2 support while serving as the last version supporting ZooKeeper-based clusters.

  • securityApply patch immediately for CVE fixes

    This release addresses multiple high-priority CVEs in ZooKeeper, JWT libraries, and networking components. Upgrade to 0.45.2 immediately to patch these vulnerabilities, especially if you handle sensitive data or run internet-facing services.

  • breakingMigrate to KRaft before upgrading beyond 0.45.x

    This is your last chance to run ZooKeeper-based Kafka clusters in Strimzi. Plan your KRaft migration now since Strimzi 0.46+ will only support KRaft mode. Follow the official KRaft migration guide and test thoroughly in non-production first.

  • breakingHandle Kafka 3.9.2 annotation issue for future upgrades

    If you're using Kafka 3.9.2, upgrading to Strimzi 0.46-0.51 will require manually updating pod annotations. Save the provided kubectl command for when you upgrade: it updates the Kafka version annotation on pods to prevent operator failures.

主な変更 (5)
  • Final patch release for 0.45.x branch - no further patches will be released
  • Added support for Apache Kafka 3.9.2 with container image updates
  • Multiple CVE fixes including ZooKeeper CVE-2024-47554, Nimbus Jose JWT CVE-2025-53864, and GRPC Netty Shaded CVE-2025-55163
  • Last Strimzi version to support ZooKeeper-based Kafka clusters and MirrorMaker 1
  • Upgraded dependency versions: Vert.x 4.5.24, Netty 4.1.130.Final, Apache Log4J 2.25.3, Cruise Control 2.5.146
原文

Helm

Kubernetes Core2026年3月11日

Helm v4.1.3 patches multiple critical bugs affecting OCI registries, dry-run operations, and value handling that were causing deployments to fail or behave unpredictably in production environments.

  • breakingUpdate OCI registry workflows immediately

    If you use OCI registries that store both container images and Helm charts under the same tag, upgrade now. The previous bug caused complete pull failures. Test your chart pulls after upgrading to ensure compatibility with your registry setup.

  • enhancementReview autoscaling upgrade timeouts

    Upgrades now properly wait for cluster autoscalers and rolling updates instead of failing prematurely. Review your deployment pipelines and consider reducing any artificial delays you added to work around this issue. Monitor initial upgrades closely to verify improved behavior.

  • enhancementValidate dry-run operations with generateName

    Server-side dry-run now correctly handles generateName fields. If you've been avoiding dry-run validation for resources using generateName, re-enable it in your CI/CD pipelines. This improves pre-deployment validation coverage.

主な変更 (5)
  • Fixed dry-run server mode not respecting generateName, causing validation issues
  • Resolved OCI registry failures when pulling charts from mixed container/chart repositories
  • Fixed nil value preservation preventing proper chart defaults overrides
  • Corrected FailedStatus handling that caused premature upgrade failures during autoscaling
  • Eliminated YAML corruption from template whitespace trimming after post-rendering
原文

KubeEdge

Provisioning & Runtime2026年3月11日

KubeEdge v1.23 ships a major edge DB refactor (Beego → GORM), node query optimization to cut edge-cloud bandwidth, device anomaly detection in CRDs, and solid Windows EdgeCore improvements.

  • breakingUpdate all Device status reads to use the new DeviceStatus CRD

    Device status has been extracted from the Device CRD into a standalone DeviceStatus CRD. The release says backward compatibility is maintained for the CRD schema itself, but any code, scripts, or automation that reads device status directly from the Device object will silently miss updates after the upgrade. Audit your operators, dashboards, and GitOps pipelines before upgrading — reroute status reads to the new DeviceStatus CRD.

  • enhancementValidate edge DB behavior after the Beego-to-GORM migration

    The entire edge database layer has been rewritten. GORM replaces Beego ORM and all DB operations are now funneled through a single MetaManager entry point. This is a lower-risk change but still a deep internal refactor. Run your existing edge workloads against a staging environment on v1.23 before rolling to production — watch for any edge cases in MetaManager behavior, especially around reconnect and offline-mode scenarios.

  • enhancementTake advantage of local node query optimization for large deployments

    If you're running dozens or hundreds of edge nodes, the shift from remote CloudCore node queries to local edge DB lookups should noticeably reduce your edge-cloud tunnel bandwidth. No configuration change is required — CloudCore automatically syncs node updates to the edge DB. Still worth monitoring your edge-cloud channel metrics post-upgrade to confirm the improvement in your specific topology.

主な変更 (6)
  • Edge DB refactored from Beego ORM to GORM with a unified MetaManager entry point — lighter binary, cleaner code path
  • Node queries now served from local edge DB instead of remote CloudCore calls, reducing edge-cloud channel pressure at scale
  • Device anomaly detection is now configurable in Device CRD pushMethod and pluggable at the mapper level
  • Device CRD status split into a separate DeviceStatus CRD — existing consumers must update their queries
  • Windows EdgeCore improvements: named pipe DMI, version-aware keadm upgrade, and log file redirection for service mode
  • Vendored Kubernetes bumped to v1.32.10
原文

containerd

Kubernetes Core2026年3月10日

containerd 2.2.2 fixes critical CRI networking bugs, registry credential leakage, and AppArmor compatibility issues that could affect production Kubernetes workloads.

  • securityUpdate to prevent registry credential exposure

    Registry credentials could leak in error messages and pod events. Deploy this patch immediately if you use private registries with authentication, as these credentials might appear in logs or Kubernetes events that could be accessed by unauthorized users.

  • breakingFix CNI network cleanup after restarts

    CNI DEL operations weren't executing after containerd restarts, leaving stale network configurations. This affects pod networking reliability. Update before your next maintenance window to prevent network namespace leaks and potential IP conflicts.

  • enhancementUpgrade for AppArmor compatibility

    AppArmor profiles now work correctly with unix domain sockets on modern kernels. If you're running newer kernel versions and experiencing socket connection issues with AppArmor enabled, this update resolves the compatibility problem.

主な変更 (5)
  • Fixed CNI cleanup issue where network teardown failed after containerd restarts
  • Resolved credential leakage in error messages when registry authentication fails
  • Fixed AppArmor profile causing unix socket failures on newer kernels
  • Corrected registry mirror configuration migration for legacy setups
  • Fixed nil pointer crashes in memory metrics when constraints are partially configured
原文

cert-manager

Security2026年3月10日

cert-manager v1.20.0 introduces Gateway API ListenerSet support, Azure Private DNS integration, and promotes OtherNames to Beta, while fixing several ACME and DNS-related bugs.

  • securityUpdate for DNS DoS vulnerability fix

    A moderate security issue allowed attackers to cause controller denial-of-service through malformed DNS responses. Update immediately if your cert-manager controllers are exposed to untrusted DNS servers or networks where DNS traffic could be manipulated.

  • breakingContainer UID/GID changes affect security contexts

    Default container user changed from UID 1000 to 65532, and group from GID 0 to 65532. Review your pod security policies, security contexts, and file permissions if you've hardcoded these values or rely on root group access.

  • enhancementEnable Azure Private DNS for internal certificate management

    New Azure Private DNS support allows DNS-01 challenges for private zones. Configure your Azure DNS issuer with private zone settings to manage certificates for internal services without exposing DNS records publicly.

主な変更 (5)
  • Gateway API ListenerSet resource support with experimental feature gate
  • Azure Private DNS zones support for DNS-01 challenges
  • OtherNames feature promoted to Beta and enabled by default
  • Network policy configuration flags across all containers
  • Enhanced Venafi provider with custom fields annotation support
原文

Dapr

Orchestration & Management2026年3月9日

Dapr 1.17.1 fixes critical runtime issues including WASM component registration failures on production architectures and workflow cleanup problems.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components were completely broken on production architectures in v1.16.0-v1.17.0. Applications using these components failed to start. Test your WASM components after upgrading to confirm they register and function correctly.

  • enhancementExpect placement service performance improvements

    Large clusters with many non-actor sidecars will see reduced placement overhead. Monitor placement service metrics and actor invocation latency—you should observe fewer lock cycles and improved performance, especially during sidecar restarts.

  • enhancementReview workflow cleanup configurations

    Previously stalled workflows that became unstalled can now be properly cleaned up. Verify your state retention policies are working as expected and check for any workflow instances that should have been purged but weren't.

主な変更 (4)
  • WASM binding and middleware components now register properly on amd64/arm64/arm architectures after filename build constraint fix
  • Previously stalled workflows can now be cleaned up by state retention policies and purge APIs
  • Placement service no longer triggers unnecessary dissemination cycles for sidecars without actor types
  • Bulk subscription timers properly reset after early dispatch due to message count limits
原文

Open Policy Agent (OPA)

Security2026年3月9日

OPA v1.14.1 is a patch release that reverts rule indexer changes causing lookup failures and fixes a plugin manager deadlock, while updating dependencies for security vulnerabilities.

  • securitySecurity updates in dependencies

    This release includes Go 1.26.1 and updated dependencies that patch known vulnerabilities. Schedule this upgrade as part of your regular security maintenance cycle, especially if you're running OPA in production.

  • breakingUpgrade immediately if using v1.14.0

    The rule indexer changes in v1.14.0 cause policy lookup failures for some configurations. Deploy v1.14.1 to restore reliable policy evaluation. The optimization will return in v1.15.0 with proper fixes.

  • enhancementPlugin manager stability improved

    The deadlock fix resolves intermittent hangs during configuration operations. If you've experienced unexplained OPA freezes during plugin configuration, this release should eliminate those issues.

主な変更 (4)
  • Reverted rule indexer optimization from v1.14.0 that caused unexpected policy lookup failures
  • Fixed intermittent deadlock in plugins manager during opa.configure operations
  • Updated Go to version 1.26.1 and refreshed dependency versions
  • Addressed various Golang standard library and package vulnerabilities
原文

Dragonfly

Storage & Data2026年3月9日

Dragonfly v2.4.2 adds gRPC rate limiting and scheduler cluster configuration while improving security scores and fixing several configuration inconsistencies.

  • breakingUpdate configuration files for renamed fields

    The rateLimit configuration field was renamed to bandwidthLimit. Check your configuration files and update any references to use the new naming convention to avoid configuration parsing errors.

  • enhancementConfigure gRPC rate limiting for production

    The new gRPC rate limiting feature protects against resource exhaustion attacks. Review your current traffic patterns and configure appropriate rate limits in your Dragonfly configuration to prevent service degradation under load.

  • enhancementLeverage new scheduler cluster management

    With scheduler cluster de-registration support, implement proper cluster lifecycle management in your deployment scripts. This helps maintain cluster health and prevents orphaned schedulers from affecting performance.

主な変更 (5)
  • Added gRPC server request rate limiting to prevent resource exhaustion
  • Introduced scheduler cluster de-registration support for better cluster management
  • Added seed client configuration support for improved peer connectivity
  • Refactored configuration naming for consistency (rateLimit → bandwidthLimit)
  • Upgraded API to v2.2.14 and multiple dependency updates for security patches
原文

Jaeger

Observability2026年3月7日

Jaeger v2.16.0 introduces breaking changes requiring Go 1.25.7 and removes legacy remote sampling format, while improving ClickHouse performance and adding Elasticsearch health-check timeout support.

  • breakingUpgrade Go to version 1.25.7 before deploying

    The Go version requirement is now enforced across the codebase. Teams running older Go versions will face build failures. Update your build environments, CI/CD pipelines, and container images to Go 1.25.7 before attempting to upgrade or build from source.

  • breakingUpdate remote sampling client integrations

    The legacy remote sampling endpoint response format has been removed. If your applications use custom remote sampling clients that depend on the old format, they will break. Review your sampling configuration and update any custom clients to use the current format before upgrading.

  • enhancementEnable Elasticsearch health-check timeout for improved startup reliability

    New startup health-check timeout configuration prevents indefinite blocking during Elasticsearch connectivity issues. Add health-check timeout settings to your Elasticsearch storage configuration to improve service startup reliability in environments with intermittent connectivity.

主な変更 (6)
  • Go version requirement bumped to 1.25.7 across the entire codebase
  • Legacy remote sampling endpoint response format removed
  • ClickHouse query performance improved through findtraceids restructuring
  • Elasticsearch health-check timeout support added for startup reliability
  • HTTP servers migrated from Gorilla Mux to stdlib http.ServeMux
  • UI fixes for critical path visualization and v3 API client base path handling
原文

Dapr

Orchestration & Management2026年3月6日

Dapr 1.16.10 fixes critical WASM component registration failures on production architectures and patches security vulnerabilities in Go runtime and OpenTelemetry SDK.

  • securityUpdate for Go runtime and OpenTelemetry security patches

    This release patches vulnerabilities in Go 1.25.7 (crypto/tls, go command) and OpenTelemetry SDK (arbitrary code execution via PATH hijacking). Plan your upgrade within your normal security patching window, prioritizing environments where PATH manipulation is possible.

  • breakingUpgrade immediately if using WASM components

    WASM binding and middleware components have been completely broken on production architectures since v1.16.0. If you're using these components and running v1.16.0-v1.16.9, upgrade to v1.16.10 immediately as your WASM components are silently failing to register.

  • enhancementReview Pulsar Avro message publishing for early error detection

    Pulsar PubSub now validates JSON messages against Avro schemas before publishing, catching malformed data earlier. Test your Pulsar publishing workflows to ensure they handle the new validation errors gracefully and benefit from faster codec performance.

主な変更 (5)
  • Fixed WASM binding and middleware components failing to register on amd64/arm64 architectures due to filename collision with Go build constraints
  • Added Pulsar PubSub Avro schema validation to prevent malformed messages from being published without error feedback
  • Updated Go runtime to 1.25.7 with security fixes for crypto/tls and go command vulnerabilities
  • Upgraded OpenTelemetry SDK to v1.40.0 to patch arbitrary code execution vulnerability (GO-2026-4394)
  • Cached Pulsar Avro codec compilation at initialization for improved publishing performance
原文

Strimzi

Networking & Messaging2026年3月6日

Strimzi 0.51.0 addresses critical CVEs and drops support for Kubernetes versions below 1.30, while adding Kafka 4.2.0 support and moving ServerSideApplyPhase1 to beta.

  • securityUpgrade immediately for CVE fixes

    Two critical CVEs affect Strimzi 0.47.0 and newer versions. Review the security advisories to determine if your deployment is affected, then upgrade to 0.50.1 or 0.51.0 immediately. The CVE numbers appear to be from 2026, which suggests these may be embargoed vulnerabilities with delayed disclosure.

  • breakingVerify Kubernetes compatibility before upgrading

    Strimzi 0.51.0 requires Kubernetes 1.30+. Check your cluster version before upgrading. If running Kubernetes 1.27-1.29, upgrade your cluster first or remain on an earlier Strimzi version until cluster upgrade is possible.

  • breakingUpdate CRDs and KafkaUser resources during upgrade

    Manually upgrade CRDs as part of the Strimzi upgrade process, especially when using Helm. For clusters upgrading from 0.48 or older, update KafkaUser resources to use the new `.spec.authorization.acls[]operations` field format before upgrading.

主な変更 (5)
  • Critical security fixes for CVE-2026-27133 and CVE-2026-27134 requiring immediate upgrade from versions 0.47.0+
  • Kubernetes 1.30+ now required - versions 1.27, 1.28, and 1.29 no longer supported
  • Added Kafka 4.2.0 support while removing Kafka 4.0.0 and 4.0.1 compatibility
  • Per-listener Kafka configuration options now available for connection limits and reauthentication settings
  • Ingress listener type deprecated due to upstream project archival in March 2026
原文

CRI-O

Kubernetes Core2026年3月3日

CRI-O v1.35.1 fixes critical systemd container issues with user namespaces and adds TLS configuration options for API servers.

  • breakingTest systemd workloads with user namespaces

    A regression in v1.35.0 broke systemd containers when hostUsers: false is set. This patch fixes it, but if you're running v1.35.0, upgrade immediately and test any systemd workloads that use user namespace isolation to ensure they start properly.

  • enhancementConfigure TLS settings for production security

    New TLS configuration options let you harden streaming and metrics server security. Add tls_min_version and tls_cipher_suites to your [crio.api] section to enforce TLS 1.3 and strong cipher suites in production environments.

  • enhancementVerify runc v1.4.0 compatibility

    The update to runc v1.4.0 brings performance improvements and bug fixes. Test your container workloads, especially those using advanced features like cgroups v2 or checkpoint/restore, to ensure compatibility with the new runtime version.

主な変更 (5)
  • Fixed systemd containers failing with 'Permission denied' errors when user namespaces are enabled
  • Added TLS configuration options (tls_min_version, tls_cipher_suites) for streaming and metrics servers
  • Improved OCI artifact pull fallback logic to skip retries on retryable errors
  • Updated runc to v1.4.0 and multiple dependency versions for stability
  • Enhanced TLS support with configurable TLS 1.2 (default) and TLS 1.3 options
原文

Karmada

Orchestration & Management2026年2月28日

Karmada v1.16.3 is a bug-fix release addressing critical issues including controller race conditions, scheduler panics, and graceful eviction problems that could impact multi-cluster operations stability.

  • breakingUpgrade immediately to prevent scheduler crashes

    The scheduler panic fix for divide-by-zero errors is critical for production stability. Schedule maintenance window to upgrade karmada-scheduler component, especially if you use spread constraints across clusters with dynamic availability.

  • enhancementReview CronFederatedHPA configurations after upgrade

    The fix for CronFederatedHPA scale-up failures when replicas field is missing improves reliability. After upgrading, verify your CronFederatedHPA resources are scaling correctly from zero replicas, and consider adding explicit replicas fields to avoid edge cases.

  • enhancementMonitor graceful eviction behaviors post-upgrade

    The graceful eviction timing fix prevents GracePeriodSeconds leakage between tasks. After upgrade, monitor your workload evictions to ensure they complete within expected timeframes and adjust grace periods if needed for improved resource cleanup.

主な変更 (5)
  • Fixed job status aggregator race condition causing error loops in controller manager
  • Resolved CronFederatedHPA scaling failures when replicas field is missing
  • Corrected graceful eviction task timing issues preventing proper resource cleanup
  • Fixed scheduler divide-by-zero panic when no valid clusters available for spread constraints
  • Improved backoff queue sorting to prevent priority inversion in scheduler operations
原文

Karmada

Orchestration & Management2026年2月28日

Karmada v1.15.6 is a critical bug-fix release addressing race conditions, scheduler panics, and CronFederatedHPA failures that could impact production stability.

  • securityBase image security update included

    Alpine base image updated to 3.23.3 which may include security patches. Review your container scanning results after upgrade and update any custom images based on Karmada components.

  • breakingCritical scheduler stability fixes require immediate update

    The scheduler panic fix and backoff queue corrections address critical stability issues that could cause service disruptions. Plan immediate upgrade for production environments running multi-cluster workloads with spread constraints or high scheduling volumes.

  • enhancementCronFederatedHPA reliability improvements

    If using CronFederatedHPA for autoscaling, this release fixes scale-up failures when replicas field is missing. Update to ensure consistent autoscaling behavior across your federated deployments.

主な変更 (5)
  • Fixed job status aggregator race condition preventing error loops
  • Resolved CronFederatedHPA scale-up failures when replicas field is missing
  • Corrected graceful eviction task timing issues with GracePeriodSeconds
  • Fixed scheduler panic from divide-by-zero errors in spread constraints
  • Improved backoff queue sorting to prevent priority inversion issues
原文

Vitess

Storage & Data2026年2月27日

Security-focused release addressing two critical CVEs related to backup MANIFEST file vulnerabilities that could allow arbitrary command execution and path traversal attacks.

  • securityImmediate upgrade required for CVE-2026-27965 and CVE-2026-27969

    Two critical CVEs allow attackers with backup storage write access to execute arbitrary commands and perform path traversal attacks. Upgrade immediately to v22.0.4 and review backup storage access controls to ensure only trusted entities have write permissions.

  • securityAudit and secure backup storage access

    Since these vulnerabilities require write access to backup storage, review who has write permissions to your backup locations. Implement proper access controls and consider using immutable backup storage where possible to prevent tampering.

  • breakingUpdate VTTablet configuration if using MANIFEST-based decompressors

    External decompressor commands from MANIFEST files are ignored by default. If your restore process relies on this behavior, add the --external-decompressor-use-manifest flag to your VTTablet configuration, but understand this reintroduces security risks.

主な変更 (4)
  • External decompressor commands from backup MANIFEST files are no longer used by default
  • Path traversal attacks via MANIFEST file modifications are now prevented
  • New --external-decompressor-use-manifest flag added for explicit opt-in to MANIFEST-based decompressor
  • 37 merged pull requests with security-focused improvements
原文

Vitess

Storage & Data2026年2月27日

Vitess v23.0.3 is a critical security release addressing two CVEs related to backup restore vulnerabilities, with breaking changes to external decompressor handling.

  • securityImmediate Upgrade Required for Backup Security

    This release fixes critical vulnerabilities (CVE-2026-27965, CVE-2026-27969) that allow attackers with backup storage write access to execute arbitrary commands or perform path traversal attacks. Upgrade immediately if you use Vitess backups, especially in environments where backup storage might be compromised. Review backup storage access controls and audit recent backup operations for suspicious activity.

  • breakingUpdate VTTablet Configuration for External Decompressors

    If your backup/restore process relies on external decompressors defined in MANIFEST files, you must add the --external-decompressor-use-manifest flag to your VTTablet configuration. Without this flag, restores will fail if they depend on MANIFEST-specified decompressors. Review your backup strategy and explicitly configure decompressor commands instead of relying on MANIFEST files for better security.

  • enhancementStrengthen Backup Security Posture

    Take this opportunity to review and harden your backup security practices. Implement strict access controls on backup storage, use dedicated service accounts with minimal permissions, and consider encrypting backup storage. The new security model provides better isolation but requires explicit configuration of decompression tools rather than trusting backup metadata.

主な変更 (5)
  • External decompressor commands from backup MANIFEST files are no longer used by default during restore
  • Added --external-decompressor-use-manifest flag to explicitly opt into MANIFEST-based decompressor usage
  • Implemented path traversal protection to prevent arbitrary file writes during backup restore
  • Fixed CVE-2026-27965 and CVE-2026-27969 related to backup security vulnerabilities
  • 22 merged pull requests focused on security improvements
原文

Flux

CI/CD & App Delivery2026年2月24日

Flux v2.8.0 introduces major GitOps capabilities including Helm v4 support, enhanced observability, faster recovery times, and improved notification features while removing deprecated APIs.

  • breakingMigrate from deprecated v1beta2/v2beta2 APIs immediately

    Deprecated APIs have been removed from CRDs. Follow the official upgrade procedure for Flux v2.7+ to migrate your resources to supported API versions before upgrading to v2.8.0.

  • enhancementEnable faster application recovery with new feature gate

    Activate the CancelHealthCheckOnNewRevision feature gate on your Kustomizations and HelmReleases to reduce recovery time during application failures by canceling health checks when new revisions are detected.

  • enhancementImplement automated PR notifications for GitOps workflows

    Configure Pull Request commenting in your notification providers to enable direct feedback from Flux deployments to development teams, improving visibility and collaboration in GitOps workflows.

主な変更 (5)
  • Helm v4 support with server-side apply and improved health checking
  • Reduced mean time to recovery with CancelHealthCheckOnNewRevision feature gate
  • Pull Request commenting support in notification providers
  • Custom SSA apply stages for ordered resource deployment in kustomize-controller
  • Automatic GitHub App installation ID lookup from repository owners
原文

Knative

Orchestration & Management2026年2月24日

Knative v1.21.1 is a patch release that rebuilds v1.21.0 with Kubernetes v1.25.7 and provides advance notice of upcoming security defaults changes in v1.22.

  • securityPrepare for enhanced pod security posture

    Review your container images and workloads that run as root. The upcoming AllowRootBounded setting restricts root access while maintaining compatibility. Audit your applications now and consider migrating away from root execution where possible for better security alignment.

  • breakingTest workloads for v1.22 security changes now

    The secure-pod-defaults will change from disabled to AllowRootBounded in v1.22. Test your workloads with this setting enabled now. If incompatible, explicitly set secure-pod-defaults to disabled in your configuration before upgrading to v1.22 to avoid service disruptions.

主な変更 (4)
  • Rebuilt with Kubernetes v1.25.7 for compatibility and stability
  • secure-pod-defaults remains disabled by default in v1.21.1
  • Future v1.22 release will change secure-pod-defaults to AllowRootBounded by default
  • AllowRootBounded setting provides better security while maintaining compatibility with root-requiring images
原文

KubeVirt

Orchestration & Management2026年2月23日

KubeVirt v1.7.1 delivers critical bug fixes for live migration, volume hotplug, and VM snapshot operations, along with enhanced monitoring capabilities and security updates.

  • securityUpdate to address crypto dependency vulnerabilities

    The golang.org/x/crypto dependency was updated to v0.45.0 to address security issues. Plan to upgrade to this version promptly, especially in production environments handling sensitive workloads, as crypto vulnerabilities can impact VM security.

  • breakingCross-vendor migration prevention requires review

    KubeVirt now prevents cross-vendor migrations which may break existing workflows that rely on migrating VMs between different infrastructure providers. Review your migration patterns and ensure source and target nodes use compatible virtualization stacks.

  • enhancementImplement ephemeral volume monitoring

    New metrics and alerts for ephemeral hotplug volumes improve operational visibility. Configure your monitoring stack to capture these new metrics and set up alerts for ephemeral volume lifecycle events to better track resource usage and potential issues.

主な変更 (6)
  • Fixed decentralized live migration issues between volumes with different volumeModes
  • Resolved block volume hotplug breaking autoattachVSOCK functionality
  • Added ephemeral hotplug volume metrics and alerts for better monitoring
  • Fixed missing migration metrics that impacted observability
  • Updated security dependencies including golang.org/x/crypto to v0.45.0
  • Enhanced VM export functionality to work with PVCs from completed pods
原文

Argo

CI/CD & App Delivery2026年2月22日

Argo CD v3.3.2 fixes the critical client-side apply migration issue that affected self-managed installations in v3.3.0/v3.3.1, requiring specific upgrade steps for users managing Argo CD with itself.

  • breakingEnable ServerSideApply for Self-Managed Installations

    If you have an Argo CD Application managing your Argo CD installation, you must enable `ServerSideApply=true` sync option on that Application before upgrading to v3.3.2. This is required for the upgrade to succeed and prevents apply migration failures.

  • breakingRemove Temporary ClientSideApplyMigration Setting

    If you previously upgraded to v3.3.0/v3.3.1 and set `ClientSideApplyMigration=false` as a workaround, remove this setting after upgrading to v3.3.2. Keeping it may cause field manager conflicts with other Kubernetes controllers.

  • enhancementSafe Upgrade Path for Previously Affected Users

    Users affected by the v3.3.0/v3.3.1 client-side apply migration bug can now safely upgrade to v3.3.2. Follow the upgrade guide carefully and test the upgrade process in a non-production environment first, especially for self-managed installations.

主な変更 (4)
  • Fixed client-side apply migration failure that prevented successful upgrades in v3.3.0/v3.3.1
  • Resolved conflicts between Argo CD field manager and other Kubernetes field managers
  • Updated documentation to clarify upgrade requirements for self-managed installations
  • Maintained SLSA Level 3 provenance and cosign signatures for all container images
原文

Contour

Networking & Messaging2026年2月20日

Contour v1.33.2 is a maintenance release that fixes a critical HTTPProxy status update bug, upgrades Go to v1.25.7, and improves CPU allocation for the shutdown-manager container.

  • securityUpgrade for Go security patches

    Go v1.25.7 includes security fixes and performance improvements. Schedule an upgrade to benefit from these updates, especially if you're running production workloads with previous Contour versions.

  • breakingFix HTTPProxy status update issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, this release fixes the CRD schema issue. Upgrade immediately if you rely on status fields for monitoring or automation.

  • enhancementImproved Gateway Provisioner performance

    The increased CPU limit for shutdown-manager prevents throttling issues. If you're using Contour Gateway Provisioner and experiencing slow shutdown operations, this upgrade will improve performance.

主な変更 (4)
  • Go runtime updated to v1.25.7 for latest security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Increased shutdown-manager CPU limit from 50m to 200m in Gateway Provisioner to prevent throttling
  • Maintains compatibility with Kubernetes versions 1.32 through 1.34
原文

Contour

Networking & Messaging2026年2月20日

Contour v1.32.3 is a maintenance release that updates Go runtime to v1.24.13 and fixes a critical CRD schema bug preventing load balancer status updates.

  • securityUpdate for Go Security Fixes

    Go v1.24.13 includes security patches. Schedule upgrade to v1.32.3 during your next maintenance window to benefit from runtime security improvements and bug fixes.

  • breakingFix Load Balancer Status Issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, upgrade immediately. The CRD schema fix resolves status reporting issues that could affect traffic routing visibility and monitoring.

主な変更 (4)
  • Go runtime updated to v1.24.13 with security fixes and improvements
  • Fixed HTTPProxy CRD schema bug that incorrectly marked status.loadBalancer.ingress[].ports[].error as required field
  • Resolved load balancer status update failures affecting ingress traffic routing
  • Maintained compatibility with Kubernetes versions 1.31 through 1.33
原文

Kyverno

Security2026年2月19日

Kyverno v1.17.1 is a focused patch release fixing a CVE, multiple crash/panic conditions, race conditions, and image verification bugs that could silently misbehave in production.

  • securityPatch CVE-2025-68121 now

    CVE-2025-68121 is fixed in this release. Details on scope are limited in the notes, but any CVE fix in an admission controller warrants immediate attention. If you're on v1.17.0, upgrade to v1.17.1 before doing anything else. Don't wait for your next maintenance window.

  • breakingVerify your policy exclusion rules if you use empty lists

    A bug was fixed where an empty list in a policy exclusion would silently exclude ALL resources instead of none. If you have any ClusterPolicy or Policy with exclusion blocks, audit them now. If you were unknowingly relying on empty-list-as-exclude-all behavior (unlikely but possible), your policies will now behave correctly — meaning resources that were previously skipped will now be evaluated.

  • enhancementImage verification with TSA and private registries is now reliable

    Two separate ivpol fixes land here: signed timestamp verification is now correctly enabled when a TSACertChain is provided, and private registry secrets in the Kyverno namespace are now used during background report scanning. If you've been seeing unexpected verification failures in background scans or with TSA-based signature policies, upgrade and re-run your report scans to get accurate results.

主な変更 (5)
  • CVE-2025-68121 patched — update immediately if running v1.17.0
  • Panic fixed in metrics wrapper when generate response returns no result — previously could crash the controller
  • Race conditions eliminated in configuration.IsExcluded() and ReportsBreaker — affected correctness under concurrent load
  • Image verification (ivpol) fixes: private registry auth now works in reports scanner, multi-signature annotation validation bug resolved, and TSA signed timestamp verification enabled when cert chain is provided
  • Empty list in policy exclusion no longer silently excludes all resources — a subtle but dangerous behavioral bug
原文

Fluentd

Observability2026年2月19日

Fluentd v1.19.2 delivers critical bug fixes for socket leaks and connection timeouts, with Ruby 4.0 compatibility improvements. Priority fix for production stability issues affecting out_forward and HTTP server plugins.

  • securityUpgrade immediately to fix socket leak vulnerability

    HTTP server plugin had socket leaks in POST requests that could lead to resource exhaustion. This is a critical fix for production environments using HTTP input plugins. Update immediately and monitor socket usage after deployment.

  • breakingUpdate out_forward configurations for timeout handling

    The out_forward plugin now properly handles connection timeouts to prevent infinite loops. Review your forward output configurations and monitor for any connection behavior changes, especially in high-throughput environments where connection stability is critical.

  • enhancementPrepare for Ruby 4.0 migration

    This release adds Ruby 4.0 compatibility with updated gem dependencies including ostruct and net-http. Plan your Ruby upgrade path and test this version in staging environments if you're planning to move to Ruby 4.0.

主な変更 (5)
  • Fixed out_forward plugin timeout issue preventing infinite connection loops
  • Resolved socket leaks in HTTP server plugin POST requests
  • Fixed in_tail plugin errors when encountering unreadable files in glob patterns
  • Added Ruby 4.0 compatibility with updated gem dependencies
  • Fixed duplicate config file loading in config_include_dir
原文

Strimzi

Networking & Messaging2026年2月19日

Strimzi 0.50.1 is a critical security patch addressing two CVEs affecting versions 0.47.0+, with mandatory CRD upgrades and final support for Kubernetes 1.27-1.29.

  • securityImmediate upgrade required for CVE fixes

    If running Strimzi 0.47.0 or newer, immediately review the CVE advisories and upgrade to 0.50.1. These are critical security vulnerabilities that require urgent patching in production environments.

  • breakingUpdate KafkaUser resources before upgrading

    Before upgrading, update all KafkaUser resources to use .spec.authorization.acls[]operations field instead of the deprecated .spec.authorization.acls[]operation field to avoid compatibility issues.

  • breakingPlan Kubernetes upgrade for Strimzi 0.51+

    This is the final version supporting Kubernetes 1.27-1.29. Plan to upgrade your clusters to Kubernetes 1.30+ before upgrading to Strimzi 0.51.0 or newer to maintain compatibility.

主な変更 (5)
  • Fixes two critical security vulnerabilities CVE-2026-27133 and CVE-2026-27134 affecting Strimzi 0.47.0+
  • Includes full CA chain in broker certificates for improved TLS certificate validation
  • Fixes bugs in v1 API conversion tool for number conversions and empty YAML handling
  • Last version supporting Kubernetes 1.27, 1.28, and 1.29 - future versions require K8s 1.30+
  • Continues migration to v1 APIs with mandatory CRD upgrades, especially critical for Helm users
原文
← 新しい